Google has shipped a security update for Chrome on iOS, closing a medium-severity vulnerability in its Safe Browsing interface that could allow attackers to fool users into trusting malicious websites. The flaw, tracked as CVE-2026-13912, requires an update to Chrome version 150.0.7871.47.
What Actually Changed
Chrome 150.0.7871.47 for iOS patches a user-interface bug deep inside Google Safe Browsing—the service that warns you when you try to visit phishing sites, download malware, or browse sites known to be dangerous. According to the CVE entry, the vulnerability let a remote attacker manipulate how those warnings appear on screen. Specifically, the flaw could spoof the Safe Browsing interface, meaning a carefully crafted website might hide the red warning page entirely, or worse, display a fake “safe” label when you’re actually staring down a credential-stealing phishing form.
This isn’t a critical remote code execution bug—hence the medium severity rating—but it undermines a core defense mechanism. Chrome on iOS is required by Apple to use WebKit, the same rendering engine Safari uses, and Safe Browsing warnings are rendered in a standard UI overlay. Any crack in that overlay’s integrity is a serious problem for mobile users who bank, shop, and work from their iPhones.
What It Means for You
For everyday iPhone and iPad users: If Chrome is your primary browser, updating is non-negotiable. Until you patch, every phishing link you tap could look like a clean site. Safe Browsing’s entire purpose is to catch URLs that are nearly indistinguishable from the real thing—think "bankofarnerica.com" instead of "bankofamerica.com." Without reliable warnings, you lose the safety net that stops you from entering passwords on look-alike pages.
For enterprise administrators: This is not a drill. If your fleet uses Chrome on managed iOS devices, push the update immediately via your MDM. A medium-severity flaw doesn’t sound terrifying, but it directly impacts users who might be targeted by spear-phishing campaigns—exactly the kind of attack that bypasses email gateways by texting a link to a phone. Delaying exposes your organization to credential theft that’s hard to trace until it’s too late.
For developers: Any app embedding Chrome via SFSafariViewController or similar isn’t affected—this bug lives inside the full Chrome app. But if your team relies on Chrome’s built-in security alerts during testing or customer demos, be aware that the pre-patch behavior is unreliable under attack conditions.
How We Got Here
The flaw was discovered internally by Google’s security team and disclosed as part of a routine Chrome update cycle. CVE-2026-13912 was reserved earlier this year, and details remained under wraps until a fixed version was available. This is standard practice: Google typically holds vulnerability details to give users time to update before attackers can reverse-engineer the patch.
Interface spoofing bugs aren’t new to Safe Browsing. Similar flaws have cropped up in desktop Chrome, Firefox, and even Safari’s native implementation (which also uses Google’s Safe Browsing blocklist). The twist here is iOS-specific: because Chrome must use Apple’s WebKit engine, the UI for Safe Browsing warnings is rendered differently than on Android or desktop. A logic error in how Chrome’s code interacted with that iOS UI layer opened the door to spoofing. Apple’s own Safari wasn’t impacted—its warning interface is handled natively by iOS—but Chrome’s extra layer of custom UI around the same engine introduced the risk.
This is a reminder that even “secure” mobile ecosystems aren’t immune. iOS’s sandboxing and App Store review are powerful defenses, but they don’t catch logical interface flaws. And because mobile browsers often get less frequent updates than their desktop counterparts, users can remain vulnerable for longer.
What to Do Now
Update immediately. Here’s how:
- Open the App Store on your iPhone or iPad.
- Tap your profile picture in the top right.
- Scroll down to find Chrome in the list of pending updates.
- Tap “Update” next to Chrome. If you don’t see it, pull down to refresh—the update may still be propagating regionally.
Alternatively, you can force the update by navigating to chrome://settings/help inside Chrome. The browser will check its version and apply the update if available.
Verify the version: After updating, go to Chrome > ⋮ menu > Settings > About Chrome. The version number should read 150.0.7871.47 or higher. If it’s lower, the patch hasn’t been installed.
Enterprise steps: If you manage iOS devices with Intune, Jamf, or another MDM, push the latest version of Chrome as a required app update. Set a compliance deadline—ideally within 24 hours—and communicate to users that this is a security fix, not a feature release.
There are no workarounds. Disabling Safe Browsing isn’t practical (and removes all protection). Avoiding Chrome entirely is an option—Safari is unaffected—but for those who rely on sync, passwords, and extensions, updating is the only path.
Outlook
Google’s Safe Browsing team is likely auditing similar UI patterns across all platforms after this disclosure. Mobile browsers are now primary workhorses for millions, and attackers know that a well-timed link sent via iMessage has a higher chance of bypassing suspicion than an email. Expect hardened warning displays and deeper integration testing, especially around how Chrome’s overlay interacts with iOS rendering.
Keep automatic updates turned on. This CVE reinforces why zero-click update mechanisms and silent background refreshes matter: the fewer manual steps between a patch and a user, the safer everyone stays.