Google has shipped Chrome for iOS version 150.0.7871.47 to close a use-after-free vulnerability that allowed remote attackers to corrupt heap memory simply by luring victims to a malicious website. The patch, which started rolling out today via the App Store, fixes CVE-2026-13918 and is available for all iPhone and iPad users. If you rely on Chrome to browse the web on your Apple mobile device, you should apply the update immediately to block potential exploits.
What’s Fixed in Chrome for iOS 150.0.7871.47
The update, which bumps Chrome on iOS to build 150.0.7871.47, addresses a single security flaw tracked as CVE-2026-13918. The vulnerability is a classic use-after-free — a memory management bug that occurs when a program continues to reference a memory location after it has been freed. In the context of a web browser, such flaws can be triggered by processing specially crafted HTML or JavaScript, potentially leading to heap corruption and, in the worst case, remote code execution.
Google has not yet published a detailed technical write-up of the vulnerability, which is common practice while users are still rolling out the patch. What we do know from the advisory excerpt is that “a remote attacker [could] use a crafted HTML page to trigger heap corruption” on iPhones running an affected version of Chrome. The extent of the damage could range from browser crashes to full system compromise, depending on the success of additional exploit steps.
Notably, the update arrives as part of the broader Chrome 150 milestone, which typically introduces new features and dozens of security fixes across platforms. On iOS, however, all browsers — including Chrome — are required to use Apple’s WebKit engine for rendering. This means the vulnerability could reside either in Chrome’s own surrounding code (such as its UI, networking, or V8 JavaScript engine — Chrome’s V8 is allowed on iOS) or in the system’s WebKit framework. If the latter is the case, the same bug could affect Safari and other iOS browsers, but the fact that Google issued a Chrome-specific update suggests the fix lies in its own codebase. Nonetheless, this is speculation; Google typically doesn’t disclose such details until weeks after the patch.
What This Means for You
For everyday users: If you use Chrome as your primary browser on iPhone or iPad, your device could be silently compromised by simply clicking on a link in an email, a social media post, or a malicious website. The attack vector requires no more than visiting a rigged page, and the heap corruption could allow an attacker to steal sensitive data, install malware, or hijack your online accounts. The good news? The fix is just a tap away. There are no reports of active exploitation in the wild, but once a CVE is publicly disclosed, malicious actors often reverse-engineer the patch to develop exploits for unpatched devices. The clock is ticking.
For IT administrators and security teams: If your organization manages fleets of iPhones or iPads with Chrome installed, this update should be treated as a high-priority patch. Remote heap corruption in a browser can serve as an entry point for broader network attacks, especially if employees access corporate resources through Chrome. Use your mobile device management (MDM) solution to force the update immediately, or at a minimum, notify users and set a deadline for compliance. Consider also checking whether any web filtering or threat intelligence feeds have picked up indicators of compromise related to CVE-2026-13918.
For developers and power users: Beyond patching your own devices, you might want to monitor Google’s security blog for technical details once they’re released. Understanding the specifics of this use-after-free could inform your own web application security practices. Additionally, if your app embeds Chromium or interacts with Chrome’s rendering engine, be alert for any stability or compatibility issues that might arise from this patch.
How We Got Here: The Perils of Use-After-Free in Browsers
Use-after-free vulnerabilities are among the most common and dangerous classes of browser bugs. They stem from the complexity of modern web engines, which constantly allocate and deallocate blocks of heap memory to manage everything from JavaScript objects to DOM nodes. A tiny logic error — such as forgetting to clear a pointer after freeing its memory — can open a window for attackers to craft inputs that reuse that dangling pointer, corrupting fresh memory with attacker-controlled data.
Google’s Chrome team has been locked in a cat-and-mouse game with such memory-safety bugs for years. The company’s shift toward memory-safe languages (like Rust) and defensive techniques (like heap isolation and control-flow integrity) has gradually raised the bar for exploitation. On iOS, the platform’s robust sandboxing further limits the damage from a browser compromise, but heap corruption in the browser process can still lead to significant data exposure.
The Chrome 150 release cycle has been fairly standard: after a round of beta testing, Google began rolling out the stable update across desktop and Android platforms earlier this week. The iOS release often trails slightly due to App Store review processes or platform-specific testing. The version number 150.0.7871.47 follows Google’s typical four-part format: major version (150), minor version (0), branch (7871), and build (47). Each release may carry multiple bug fixes, but this CVE is the only one explicitly mentioned in the accompanying security note.
Historically, Google has patched use-after-free flaws on a near-monthly basis. In previous years, critical bugs like CVE-2019-13720 (a use-after-free in audio) and CVE-2019-13721 (a use-after-free in PDFium) were exploited in the wild, earning them the nickname “0-click” threats because they required minimal interaction. While we don’t yet know the details of CVE-2026-13918, its disclosure alongside a routine update suggests it’s important but perhaps not an emergency 0-day — at least, no emergency out-of-cycle release was observed.
What to Do Now: Step-by-Step Update Guide
Updating Chrome on your iPhone or iPad takes less than a minute. Here’s how to make sure you’re running the patched version.
- Open the App Store on your device.
- Tap your profile icon in the top-right corner (or scroll all the way to the top of the “Today” tab and tap your photo).
- In the account menu, scroll down to the Available Updates section.
- Look for Chrome in the list. If you see an Update button next to it, tap it. If it says “Open,” you are already on the latest version.
- Wait for the update to download and install. The new version number should be 150.0.7871.47.
Alternatively, you can open Chrome and go to Settings (tap the three-dot menu in the bottom-right corner, then Settings). Scroll down to the Google Chrome section at the very bottom. The version number is displayed there. If it’s not 150.0.7871.47, force-close Chrome and check the App Store again.
Most users have auto-update enabled, so the patch may already be installed. To verify auto-update is on: go to Settings > App Store, and under “Automatic Downloads,” ensure App Updates is toggled on. Even with auto-update, it can take hours or days to install, so a manual check is prudent.
For enterprises, you can manage Chrome updates via your MDM platform. In Microsoft Intune, for example, you can set the app to “Required” to enforce the latest version. If you use Apple Business Manager, ensure Chrome is listed as a managed app with automatic updates enabled.
Outlook: What to Watch Next
Google will likely release more information about CVE-2026-13918 in its Chrome release blog (search for “Chrome Releases” on Google’s official blog) in the next day or two. Security researchers often analyze patches to understand the root cause, and we might see proof-of-concept code surface soon. That’s normal and can be beneficial for defenders, but it also means attackers will try to weaponize the vulnerability against unpatched devices. So don’t wait.
Beyond this patch, keep an eye on the broader Chrome 150 release cycle. Even though this specific CVE appears to impact only iOS users, desktop and Android versions of Chrome 150 also included security fixes that could affect you if you use Chrome across platforms. iOS users should also make sure their device’s own Safari browser is up to date; if the flaw resides in WebKit, Apple will address it in the next iOS update. The iOS 19.5 update, currently in beta, may include such a fix.
Finally, this incident underscores the importance of keeping all your apps updated, not just the operating system. Browsers are a primary attack surface, and the App Store’s auto-update feature is your first line of defense. If you haven’t already, enable it and make it a habit to check manually once a week.