Google shipped an emergency fix for Chrome on Windows on June 30, 2026, closing a local privilege escalation flaw in Chromoting that could hand an attacker full control of a PC. The patch, delivered in Chrome 150.0.7871.47, addresses CVE-2026-14060, a bug rated High severity that had been silently exploitable for weeks before the company pushed the update.

What Actually Changed

The vulnerability sits inside Chromoting, Chrome’s remote desktop component. Google’s advisory describes it as an “insufficient input validation” error that allows a local attacker to escalate privileges. In practice, that means anyone with a foothold on your machine—a malicious insider, a compromised guest account, or malware that has already slipped past other defenses—can use the flaw to jump from a restricted user to SYSTEM-level access.

Chrome 150.0.7871.47 for Windows is the only affected platform; macOS, Linux, and mobile builds are not impacted. The update arrived via the stable channel at roughly 4 p.m. PT on June 30, alongside a handful of non-security bug fixes. Google withheld technical details of the exploit, as is standard, to give users time to patch. However, security researchers at Zero Day Initiative (ZDI) flagged the issue in late May, and public proof-of-concept code appeared on GitHub on June 28, likely accelerating the patch timeline.

The fix modifies how Chromoting processes IPC (inter-process communication) messages. According to a Chromium commit linked to the bug, the component was failing to properly validate the size and origin of certain packets, allowing an attacker to craft a message that tricks the Chromoting host process into executing commands with elevated privileges. The patch introduces stricter bounds checking and enforces sender authentication within the sandboxed process.

For admins: if you manage Chrome via group policy or deployment tools, you can confirm the fix by checking that the version number includes ".47" at the end. The MSI and .deb installers for this release are available on the usual enterprise download page.

What’s at Stake

Local privilege escalation (LPE) bugs rarely make headlines the way remote code execution flaws do, but for targeted attacks, they are often the difference between a nuisance and a disaster. An attacker who already has code execution on your system—say through a phishing email that installed a backdoor—typically inherits the privileges of the logged-in user. On a well-configured machine, that means the malware can’t tamper with system files, install kernel drivers, or disable security software.

CVE-2026-14060 removes that barrier. With only limited user rights, an attacker can exploit Chromoting to gain SYSTEM access, giving them the keys to the kingdom. From there, they can dump credentials, install persistent implants, disable Windows Defender, and move laterally across the network. The bug is particularly dangerous in shared environments: university computer labs, hospital workstations, or corporate thin clients where multiple users share a single device. If one of those users is malicious, the exploit turns a low-privilege session into instant total compromise.

Home users are not immune, either. While remote exploitation is not possible—the attacker must already have code running locally—blended attacks are common. A malicious browser extension, a trojanized freeware installer, or a USB drop that runs an untrusted executable could all serve as the initial infection vector. Once inside, the LPE exploit escalates the threat actor’s control, potentially turning a minor annoyance into a ransomware event.

For enterprises, the risk compounds. Many organizations rely on Chrome’s built-in remote desktop capabilities for IT support and employee access. If those Chromoting host processes are left unpatched, any endpoint that connects to a compromised machine could become a stepping stone. Administrators should consider the bug a high-priority patch, on par with browser remote code execution fixes.

How We Got Here

Chromoting is the engine behind Chrome Remote Desktop, a free remote access tool Google launched in 2011. It works by installing a lightweight host service that runs in the background, even when Chrome is closed. That service communicates via IPC with the browser and other processes to relay mouse, keyboard, and screen data. Because the host needs deep system access to capture input and render the desktop, it runs with elevated privileges—hence the potential for a severe LPE if its message-handling routine is sloppy.

The bug class—insufficient input validation in an IPC endpoint—has been a recurring theme in Chrome security updates over the past two years. In 2025, Google patched CVE-2025-0197, a similar LPE in the update mechanism itself. The pattern suggests that while Chrome’s sandbox architecture is effective at containing web threats, the auxiliary services that support the browser’s extended functionality sometimes receive less scrutiny.

Google’s response time in this instance was brisk but not record-setting. According to ZDI’s disclosure timeline, the bug was reported on June 2, 2026. The advisory calls the fix window “91 days from submission,” which is within the industry norm for a High-severity local bug. But the early public release of a PoC on June 28—likely by a third party who reverse-engineered the patch or independently discovered the vulnerability—compressed the window drastically. Chrome users were effectively running at heightened risk for roughly 48 hours before the official patch landed.

The CVE itself, assigned by MITRE, tracks CVE-2026-14060. At the time of writing, the National Vulnerability Database (NVD) had not yet published a full CVSS score, but ZDI’s advisory gives it a 7.8 (High). Key vectors: local attack complexity is low, no user interaction required once an attacker has code execution, and the impact on confidentiality, integrity, and availability is high.

What You Should Do Now

Updating Chrome is straightforward, but the process can trip up users who haven’t restarted the browser in days. Here’s how to verify you’re safe:

  1. Check your version: Open Chrome, click the three-dot menu, navigate to Help > About Google Chrome. The version number should read 150.0.7871.47 or later. If you see an older version, Chrome will automatically download and install the update. Click “Relaunch” to apply it.

  2. If auto-update is stuck: Some machines, particularly in corporate environments, may have GPO policies that disable automatic updates or force a specific channel. Check with your IT admin if you’re not receiving updates. Standalone users can download the latest installer from google.com/chrome and run it manually; this will replace the existing installation without losing data.

  3. Verify the fix actually took: After relaunching, revisit the About page to confirm the version. For forensic clarity, admins can inspect the chrome.dll file version in the install directory (typically C:\Program Files\Google\Chrome\Application\150.0.7871.47\). The digital signature timestamp should show June 30, 2026.

  4. For managed environments: Use your endpoint management tool—SCCM, Intune, or Workspace ONE—to push the update immediately. If you whitelist specific versions, add 150.0.7871.47. Note that Chrome’s enterprise stable release often lags behind the consumer release by a few hours; MSI packages are now available for download.

  5. When you can’t patch right away: If a critical workflow prevents an immediate browser restart, consider blocking inbound connections to the Chromoting service via Windows Firewall. The Chromoting host listens on TCP port 443 and doesn’t need to accept connections from localhost except for the initial pairing. A rule that blocks all localhost traffic to the service executable could be a temporary stopgap—but this may break remote desktop functionality. A safer workaround is to disable the Chrome Remote Desktop host service entirely (via services.msc) until the patch is applied.

  6. Restart the host process: Even after updating Chrome, the Chromoting host service may keep running the old binary. If you use Chrome Remote Desktop, open the chrome://remotedesktop/ page and toggle the remote access feature off and on again. Alternatively, restart your machine after the update to ensure all components reload.

No zero-day exploitation has been confirmed in the wild as of June 30, but the public PoC means script kiddies and automated exploit frameworks will likely integrate the bug rapidly. The window of safety depends on your speed of updating.

The Outlook

This bug underscores a broader reality of modern software: every ancillary feature expands the attack surface. Chromoting is a convenience, not a core browsing component, yet it runs with high privileges by necessity. Enterprises should audit which Chrome components are actually required for day-to-day work; if remote desktop is unnecessary, the host service can be disabled via GPO without affecting browser security.

Google’s accelerated patch rollout demonstrates that the company can move quickly when a local exploit is weaponized publicly. However, the gap between responsible disclosure and patch remains a challenge for the industry. Until vendors adopt continuous delivery models for security fixes—pushing patches the moment they’re tested rather than hoarding them for a major release—users will face these moments of exposure.

In the short term, expect security researchers to publish deep-dive analyses of CVE-2026-14060 within the next week. Those papers will likely reveal just how much control an attacker could seize and may uncover related vulnerabilities in other Chromoting implementations. For now, updating Chrome is the single best defense.