Google has released a security update for Chrome 150 on Windows and macOS that closes a hole in how the browser enforced same-origin policies for SVG files. The flaw, tracked as CVE-2026-14016, could have allowed a remote attacker to craft a malicious SVG image that, when viewed, siphons private information — authentication tokens, cookies, personal details — from other websites you’re logged into. The patch, identified as version 150.0.7871.47, is rolling out now, and users are urged to install it immediately.
What Changed in Chrome 150.0.7871.47
The update addresses a single, medium-severity vulnerability in Chrome’s SVG policy enforcement. SVGs (Scalable Vector Graphics) are not just static images; they can contain live code including JavaScript, CSS, and fonts. For security, modern browsers isolate SVGs through the same-origin policy — a rule that prevents a document from one site from reading data belonging to another. CVE-2026-14016 was a failure in this isolation. Specifically, Google’s advisory notes that the flaw allowed an attacker, by convincing a user to load a specially crafted SVG file in Chrome, to bypass cross-origin restrictions and exfiltrate sensitive data from other origins.
The patch itself is binary-level. Chrome’s developers adjusted the internal security checks that control what an SVG document can access across site boundaries. The fix landed in the stable channel on [date placeholder: the advisory simply says “now available” without a specific date], and the new version number should appear in Chrome’s About page after a restart. There are no other publicly disclosed fixes in this release — making it a concentrated, out-of-band security update — though Google typically bundles multiple patches in a version bump. In this case, only CVE-2026-14016 was called out in the release notes.
What This Means for You
For everyday Chrome users on Windows and Mac
If you open a malicious SVG file — whether it’s hosted on a dodgy website, sent as an email attachment, or embedded in a document — an attacker could theoretically read data from your other open tabs. That includes session cookies (which keep you logged into webmail, banking, or social media), personal identifiers stored in localStorage, or even API responses from another site if you have active sessions. The attack requires tricking you into visiting a page that loads the weaponized SVG, but once there, no further interaction is needed. The SVG executes in the background and can silently transmit the stolen information to a server under the attacker’s control.
Medium severity doesn’t mean low risk. The Common Vulnerability Scoring System (CVSS) often rates such flaws medium because attackers need to chain them with other weaknesses or phishing lures; however, targeted spear-phishing campaigns have used trick-image tactics before. If you handle sensitive data — journalists, finance professionals, system administrators — the risk is elevated. The flaw also has no known public exploit code yet, according to Google, but security researchers often reverse-engineer patches quickly, so the window of safety is narrow.
For IT administrators and enterprise deployments
Your fleet of Windows and macOS devices running Chrome must be updated to version 150.0.7871.47 or higher as soon as possible. Group Policy, Configuration Manager, Jamf, or your update ring schedule should be overridden to force an early push. Because this is a pure security release with no new features, regression risk is minimal. Note that Chrome’s auto-update mechanism typically checks every few hours; if you have bandwidth concerns, you can download the standalone enterprise installer from Google’s website.
Also, consider checking your web filtering or endpoint protection. Some security products can detect and block known malicious SVG patterns — but given the nature of cross-origin data leakage, prevention at the browser level is the most reliable defense. Ensure Chrome’s built-in “Safe Browsing” is enabled (it’s on by default) for additional phishing protection.
For web developers
If your web applications serve user-generated SVG content, audit your sanitization pipeline. Libraries like DOMPurify strip dangerous elements from SVGs, but a browser-level flaw like this bypasses even perfect server-side filtering because the attack exploits a parsing bug, not a missing scrub. Your immediate action is the same as everyone else’s: update Chrome on your development and testing machines. Long-term, watch for any revised guidance from Google on trusted types or Content Security Policy (CSP) directives that might harden against similar bugs, but the built-in fix is the solution this time.
How We Got Here: SVG’s Long History of Browser Headaches
SVGs have been a security concern since they gained scripting support. Early versions of Chrome, Firefox, and Safari all wrestled with same-origin issues because SVGs can be embedded via <img>, <object>, <embed>, or inline <svg> — each with its own security context. In 2022, Chrome 105 fixed a flaw (CVE-2022-3723) that let SVG <use> elements bypass same-origin checks, and in 2023, Chrome 116 patched an SVG animation issue that could leak canvas data. The root cause is often the complexity of the SVG specification, which mixes presentation with programmability.
CVE-2026-14016 fits this pattern. According to Google’s brief, it was an “inappropriate implementation” of the policy enforcement that governs SVG fetching and execution. An SVG’s ability to load external resources (fonts, images, scripts) must respect origin boundaries, and somewhere in Chrome’s rendering engine — likely the Skia graphics library or the Blink fork of WebKit — that boundary was soft. The bug could have been introduced during a performance optimization or a refactor of the SVG parsing code.
Google’s security team, or an external researcher rewarded through the Vulnerability Reward Program, reported the issue. The severity score of “medium” suggests it wasn’t trivially exploitable — perhaps requiring user interaction beyond a simple drive-by download — but with convincing social engineering, the barrier is low. The patching cadence is notable: Chrome 150 is a relatively early stable version in the 2026 release cycle, and Google are shipping this fix quickly, indicating they judged the public risk significant enough to go ahead of other planned updates.
What You Should Do Now
Update Chrome immediately
- Open Chrome, click the three-dot menu (⋮) at the top right.
- Hover over “Help” then click “About Google Chrome.”
- The browser will automatically check for updates and begin downloading version 150.0.7871.47. Wait for the progress to complete, then click “Relaunch.”
- After relaunching, verify the new version number appears in the same About page.
If you don’t see the update yet, wait a few hours — staged rollouts are common. You can also download the full installer from google.com/chrome/ and run it to force an immediate update.
For managed environments
Push the update via your endpoint management tool. MSI installers and PKG packages for macOS are available on Chrome’s enterprise download page. Ensure auto-update policies are not overriding the update; if you use Chrome Browser Cloud Management, set the “Application Updates” policy to allow updates immediately.
Verify and monitor
After updating, consider running a quick test. You can use a security sandbox like browser.cat to test same-origin policy enforcement, though proof-of-concept code for CVE-2026-14016 is not public. Stay alert for any follow-up CVEs in Chrome 151 or later; sometimes a patch reveals additional related bugs.
No workaround, but good hygiene
There’s no effective user-side workaround for this kind of flaw. Disabling SVG in Chrome is not practical — it would break most websites. The only real action is to patch. While waiting for the update, avoid opening unexpected image files, especially from unknown sources, and consider signing out of sensitive accounts when browsing less-trusted sites.
Outlook: More SVG Patches Likely
This won’t be the last SVG-related fix. As browsers add more advanced graphic features (WebGPU, advanced compositing), the attack surface for vector-based exploits grows. Google’s proactive fuzzing of the SVG parsing engine catches many bugs, but this CVE shows that policy logic can be a weak link. Expect Chrome 151 and later builds to include additional hardening. Meanwhile, keep an eye on Chrome’s release blog and consider enrolling in Google’s Advanced Protection Program if you work with high-risk data. For now, hitting “Relaunch” after the update is the single best security move you can make.