Google shipped Chrome 150.0.7871.47 on June 30, 2026, closing a medium-severity vulnerability that could let a malicious browser extension swipe data from websites you visit—even if those sites are unrelated to the extension’s purpose. The flaw, tracked as CVE-2026-14003, sits in the heart of Chrome’s Extensions system and, if left unpatched, lets a rogue add-on bypass the fundamental web boundary that keeps one site’s secrets from being snatched by another.
What the Patch Fixed
The update rolls out to the Stable channel for Windows, Mac, and Linux, bringing Chrome to build 150.0.7871.47. Google’s security advisory characterizes the bug as a “cross-origin data leak in Extensions,” a description that hints at the core problem: extensions can typically read or modify data on pages where they have explicit permission, but a logic error allowed a crafted extension to sidestep those restrictions and extract information from any origin a victim browsed. The company hasn’t disclosed full technical details yet—a standard practice to give the bulk of users time to update—but the medium severity rating suggests the exploitation requires some user interaction, likely installing a malicious or hijacked extension.
Chrome 150 bundles this fix alongside a handful of other security patches, though Google’s release notes indicate that CVE-2026-14003 is the only one uncovered through external research or internal auditing that directly affects extension security. Windows users get the update through Chrome’s automatic updater, which typically rolls out over a week. Admins managing fleets via Group Policy or endpoint management tools can pull the MSI installer from Google’s enterprise download page to accelerate deployment.
The Real-World Risk
For the average Windows user, the danger unfolds silently. Say you’ve installed an extension that looks legitimate—maybe a dark-mode toggle or a coupon finder. Under normal circumstances, that extension can only see what happens on the domains you’ve allowed it to interact with. But with CVE-2026-14003, a malicious add-on could peek into your banking session on a separate tab, grab cookies, or read personal messages from a webmail client, all without triggering any visible alarm. The data could then be shipped off to an attacker’s server, enabling identity theft, session hijacking, or targeted phishing campaigns.
Power users who juggle dozens of extensions—productivity tweaks, developer tools, custom new-tab pages—face a higher surface area of risk because each additional add-on is a potential vector. Even trusted extensions can become dangerous if an attacker compromises the developer’s update channel and slips a poisoned version onto the Chrome Web Store. Google’s review process catches many such attempts, but a zero-day like this circumvents permission checks entirely, making the review moot.
Enterprise environments face compounded challenges. A single employee installing a “free PDF converter” extension could inadvertently expose corporate data from internal dashboards or customer databases open in other tabs. This is why Chrome’s enterprise policies around extension management exist, but until the patch lands on every endpoint, the vulnerability puts sensitive information at risk.
A Brief History of Extension Security Flaws
Chrome extensions have long been a double-edged sword: they extend the browser’s capabilities but also introduce new attack surfaces. The platform has seen a series of cross-origin bugs over the years. In 2024, a similar issue (CVE-2024-10487) allowed extensions to read responses from other origins under certain conditions. Before that, the notorious “DataSpii” incident in 2019 highlighted how extensions could invisibly harvest browser histories and pass them to analytics services.
Google responded with Manifest V3, a revised extension architecture that sharply curtails what add-ons can access by moving to declarative permissions and remote code execution restrictions. Manifest V3 flips the script: instead of an extension getting broad permissions and needing to be reined in, it must declare upfront what it needs, and Chrome enforces it rigorously. Despite these safeguards, CVE-2026-14003 shows that even a well-architected system can harbor logic flaws that undermine its core protections.
The bug’s medium severity doesn’t mean it’s trivial. Google’s scale rates vulnerabilities from critical to low, blending factors like attack complexity and the privileges required. A medium flaw often means an attacker needs to chain the bug with another action—here, convincing a user to install a malicious extension—but once installed, the leak can harvest data continuously.
Your Action Plan
Update Chrome Immediately
The single most effective step is to ensure Chrome is running version 150.0.7871.47 or later. Most installations update automatically, but you can force the check:
- Click the three-dot menu in the top-right corner of Chrome.
- Navigate to Help > About Google Chrome.
- If an update is available, click Relaunch to apply it.
If you’re managing a fleet of Windows machines, push the update via Group Policy or Microsoft Intune. The MSI for Chrome 150 is available from Google’s Enterprise download portal. For managed environments, set the AutoUpdateCheckPeriodMinutes policy to minimize the window between release and installation.
Audit Your Extensions
Now is a good time to declutter. Open chrome://extensions/ and review every installed add-on. Ask yourself:
- Do I recognize this extension?
- Does it need access to “all sites” or only specific ones?
- When did I last use it?
Remove anything you don’t actively rely on. For extensions you keep, click Details and scroll to Site access. Where possible, switch the setting from “On all sites” to “On specific sites” or “On click.” This limits the blast radius if an extension ever turns malicious.
Use Chrome’s Built-In Safety Check
Chrome includes a safety review tool that proactively flags harmful extensions and outdated software. Run it manually:
- Go to
chrome://settings/safetyCheck. - Click Check now.
The tool will verify that Chrome is up to date, spot known malicious extensions, and warn about compromised passwords.
Enterprise Admins: Lock Down Extension Policies
For organizations, the real defense lies in policy enforcement. Windows administrators can use the Chrome Administrative Templates to:
- Create an allowlist of approved extensions via the
ExtensionInstallAllowlistpolicy. - Block all others with
ExtensionInstallBlocklistset to “*” (allowing only the allowlist). - Force-install vetted business tools so employees don’t need to go hunting.
- Disable developer mode to prevent side-loading of unpacked extensions.
Couple these policies with AppLocker or Windows Defender Application Control to further restrict what code can execute on endpoints. Regularly review enterprise reports in Google Admin Console to spot outliers—devices with unusual extension counts or non-compliant versions.
Watch for Suspicious Behavior
Even after updating, stay alert. Signs that an extension may be abusing cross-origin access include:
- Unusual network traffic during idle browsing (observable in Task Manager or network monitoring tools).
- Slow tab switching or excessive memory usage from an add-on.
- Unexpected popups or redirects that request new permissions.
Windows users can monitor extension processes through the built-in Chrome Task Manager (Shift+Esc in Chrome) to see if an extension consumes disproportionate resources.
Looking Ahead
CVE-2026-14003 underscores that extension security remains a moving target. Google will likely tighten cross-origin checks further in upcoming Chrome releases, perhaps enforcing even stricter isolation beyond what Manifest V3 mandates. The company is also experimenting with “Safety Hub,” a dashboard that gives users a real-time view of extension behavior, expected in a later Chrome 150 point release.
For Windows users and admins, the takeaway is clear: updates buy you safety, but scrutinizing what you install is an ongoing necessity. Chrome’s update cadence means the next patch wave is only weeks away, and each one closes door after door that attackers are already probing.