Google has shipped an emergency update for Chrome on iOS to close a security hole tracked as CVE-2026-13795. The fix arrives in version 150.0.7871.47 and applies exclusively to iPhones and iPads. Windows desktop Chrome is not listed as vulnerable in the National Vulnerability Database advisory, meaning the millions of users who run Chrome on PCs can safely ignore this particular alert.

What Changed in Chrome for iOS 150.0.7871.47

The update patches a single vulnerability that could allow an attacker to execute arbitrary code or cause a crash, though Google hasn’t disclosed the technical specifics. The company’s standard practice is to withhold details until a majority of users have applied the fix, reducing the risk of active exploitation. The iOS app’s release notes simply state: “This update includes security improvements and bug fixes.”

The CVE record confirms that only Chrome for iOS versions prior to 150.0.7871.47 are affected. There’s no mention of Android, Windows, macOS, or Linux variants. This aligns with the iOS version’s unique architecture: while all versions of Chrome share a common codebase, the iOS edition must use Apple’s WebKit rendering engine rather than Google’s own Blink engine. Security bugs in the iOS-specific wrapping code—such as API calls, sandboxing, or user interface logic—would naturally be confined to that platform.

Google has not assigned a severity rating to the flaw, but the company’s decision to rush out a point release suggests it was deemed important. The CVE identifier was reserved on April 23, 2026, and the patch landed within days, indicating a coordinated disclosure rather than an in-the-wild zero-day. Still, the urgency implies that exploitation could be possible under certain conditions.

What This Means for You

For iPhone and iPad Users

If you use Chrome on an iOS device, you need to update immediately. The App Store should already be offering the new version. Here’s how to verify:

  • Open the App Store and tap your profile icon.
  • Scroll to find Chrome in the list of pending updates and tap Update.
  • After the update completes, open Chrome, tap the three-dot menu, go to Settings, and check the version number at the bottom of the list. It should read 150.0.7871.47.

Until you update, avoid opening suspicious links in Chrome, especially from untrusted sources or in emails. While no active attacks have been reported, the race between attackers and defenders is often measured in hours once a patch is public.

For Windows, Android, and Desktop Users

You are not affected by CVE-2026-13795. The vulnerability exists only in the iOS version of Chrome. If you use Chrome on Windows, macOS, Linux, or Android, your current version is not listed in the advisory. You can continue using Chrome normally, though keeping it up to date is always recommended for other security fixes.

For IT Administrators and Enterprise Environments

If your organization manages iOS devices via Mobile Device Management (MDM) or Microsoft Intune, you should push the Chrome update to all supervised iPhones and iPads immediately. The update has no known functional side effects; it is a pure security fix.

Microsoft shops that sync iOS Chrome with enterprise policies should note that this CVE does not trigger any Windows-side compliance actions. However, if your vulnerability scanner flags outdated Chrome on iOS endpoints, you may need to suppress false positives for Windows machines. Verify that your scanner correctly differentiates between OS-specific builds—some tools mistakenly apply iOS CVEs to all Chrome instances.

For developers testing Progressive Web Apps on iOS, this update does not alter rendering behavior or WebKit capabilities. There’s no change to the browser engine, so existing test suites should pass without modification.

How We Got Here

Chrome’s update cadence on iOS has historically been intertwined with Apple’s WebKit requirement. Since its debut in 2012, Chrome for iOS has packaged Chromium’s networking, sync, and UI layers around the system’s built-in WebKit framework. This means security bugs unique to the iOS version rarely overlap with the desktop or Android editions.

In 2025, Google accelerated its iOS release schedule to match the four-week major-release cycle of other platforms, leading to version numbers like 150. The jump from Chrome 149 to 150 a few weeks ago brought tab groups and enhanced password management, but also introduced new attack surface. CVE-2026-13795 is likely a regression in that code or a related component.

The vulnerability was discovered either by an external researcher through Google’s Vulnerability Reward Program or by internal fuzzing. Google has not named a reporter, which sometimes happens when the finder requests anonymity or when the flaw is found in routine internal audits. If a bug bounty was paid, the amount could range from $500 to $7,500 depending on impact, though iOS-only flaws tend to be at the lower end due to the sandboxed environment.

Apple’s App Store review process adds a wrinkle: Google cannot push a hotfix as quickly as it can for desktop Chrome, where updates flow through the browser’s omnibox within hours. For iOS, Google must submit a binary to Apple, wait for review, and then release it. This delay, though typically less than 24 hours, is a crucial window when a severe flaw is uncovered.

What to Do Now

Update Chrome on iOS Immediately

  1. Check your current version: Open Chrome, tap the three-dot menu (bottom right on iPhone, top right on iPad), go to Settings, and scroll to “Google Chrome.” The version number appears there.
  2. Update via the App Store: Go to the App Store, tap your profile icon, and pull down to refresh the updates list. If Chrome appears with an “Update” button, tap it. You can also search for “Chrome” and tap “Update” on its store page.
  3. Enable automatic updates (if you haven’t): In iOS Settings, go to App Store and toggle on “App Updates.” This ensures you receive future security fixes without manual intervention. However, automatic updates can take hours or days to trigger; manual checking is faster.
  4. Close all Chrome tabs and relaunch: After the update, force-quit Chrome (swipe up from the app switcher) and reopen it to ensure the new build is fully loaded.

Verify the Fix Took Effect

After updating, the version should be 150.0.7871.47. If you see an earlier build—such as 150.0.7871.43 or 149.x—the update hasn’t been installed. Repeat the App Store steps. In some cases, temporarily offloading the app and reinstalling it (from Settings > General > iPhone Storage > Chrome > Offload App) can force the new version if the store isn’t showing it.

For Managed Fleets

  • Intune users: Force a sync from the Microsoft Intune admin center under Apps > iOS/iPadOS apps > Chrome. Ensure the assignment is set to “Required” with the latest version.
  • Jamf or other MDM: Push an app update command or configure a patch policy that targets Chrome version less than 150.0.7871.47.
  • Verify compliance: Run a report to list all managed iOS devices and their Chrome versions. Flag any still on older builds and initiate a re-push.

No Action Needed for Windows Servers or Desktops

Windows systems do not need this update. Do not confuse this CVE with any future Windows-specific Chrome patches. Check for desktop Chrome updates separately by going to the three-dot menu > Help > About Google Chrome, which will trigger a version check.

Outlook

Google has not indicated that this vulnerability has been exploited in the wild, but the rapid fix suggests the company wants to close any window of opportunity. It is possible that the CVE details will be made public in a week or two, once the majority of iOS users have updated. Security researchers will then be able to assess whether the flaw could have been chained with other bugs to break out of WebKit’s sandbox or steal sensitive data.

For Windows administrators, the key takeaway is to keep an eye on Chrome’s update feed across all platforms—just because this CVE doesn’t affect desktops now doesn’t mean a similar bug won’t appear later. The Chrome team often finds and fixes flaws that are systemic across multiple platforms after an initial report. When a vulnerability in one variant is disclosed, it’s wise to check whether the same pattern exists in others.

In the meantime, iOS users should update now. The App Store makes it a one-tap process, and there’s no reason to delay.