Google released Chrome 150.0.7871.47 for iOS on February 13, 2026, plugging a security hole that the company warns may already be under active attack. The flaw, indexed as CVE-2026-14028, is a high‑severity vulnerability that affects every version of Chrome on iPhone and iPad prior to the latest release. Unlike most Chrome fixes, Google provided almost no technical detail about the bug — a tactic reserved for zero‑day exploits that need immediate widespread patching before threat actors can analyze and repurpose them.
Windows users are not affected by this specific vulnerability. Google’s advisory makes no mention of Chrome for desktop, and independent databases confirm the Windows build is clean. That means this is a mobile‑only emergency, and iPhone owners who rely on Chrome need to act fast.
What Actually Was Fixed
The update log for Chrome 150 (iOS) is uncharacteristically thin. Here’s exactly what the Stable channel release notes say:
This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [$TBD][CVE-2026-14028] High.
The entry sits alone in the “security fixes” section. There’s no Common Weakness Enumeration tag, no description of the attack vector, and no acknowledgement of the reporting researcher — redactions that Google normally makes when the bug was discovered through an active exploit chain in the wild.
What we do know:
- Affected versions: Chrome for iOS older than 150.0.7871.47.
- Platform: iPhone and iPad only. The Android release (Chrome 150 for Android) does not list this CVE, and neither does any desktop channel.
- Severity: Marked “High” by both Google and the NIST National Vulnerability Database. While not the maximum “Critical” rating, high‑severity flaws can allow attackers to execute code, steal data, or escalate privileges — often with minimal user interaction.
Google’s decision to keep the bug private right after a patch is standard operating procedure for discovered‑in‑the‑wild zero‑days. By keeping the inner workings secret for a few weeks, the company buys time for the update to reach the majority of users before exploit code appears on public forums.
What It Means for You
If you use Chrome on an iPhone or iPad
Stop reading and update. Open the App Store, tap your account icon in the top right, and pull down to refresh the available updates list. Find Chrome, hit Update, and wait for the download to finish. The patched version (150.0.7871.47) will appear right away.
To verify you’re safe after the update: tap the three‑dot menu in Chrome, go to Settings, and look at the bottom of the page. The version string should start with 150.0.7871.47.
If you have automatic updates enabled — and you really should — the fix may have already installed overnight while your device was charging and connected to Wi‑Fi. It’s still worth checking manually. Delaying this update leaves your device wide open to whatever attack the CVE represents, and because it’s a zero‑day, that attack is already in someone’s toolbox.
If you manage iPhones in a business or school
MDM administrators should push the update through their device management console immediately. For supervised devices, force install the latest Chrome version — do not wait for users to check the App Store on their own. Because the vulnerability is already being exploited, unpatched devices represent a tangible risk, particularly for employees handling sensitive corporate accounts inside the browser.
If your organization uses a separate enterprise browser or has sideloaded Chrome through a VPP token, confirm that the version number aligns with the fixed release. Google occasionally staggers updates across regions and distribution channels, so cross‑reference using the Settings menu inside Chrome rather than relying on your MDM’s last‑sync date.
If you use Chrome on a Windows PC, Mac, or Android device
You can breathe easy — for now. CVE‑2026‑14028 does not apply to desktop platforms or Android. That said, Chrome 150 is rolling out to all platforms around the same time, so it’s a good opportunity to verify your desktop browser is fully up to date. On Windows, click Help → About Google Chrome, and the app will auto‑fetch any pending patches. Android users should visit the Play Store and check for updates manually, as background updates occasionally stall.
How We Got Here: Chrome’s Mobile Update Cadence and Zero‑Day Secrecy
Chrome for iOS follows a four‑week release cycle matching its desktop counterpart, with minor updates between milestones reserved for urgent security fixes. This particular patch landed just two days after Chrome 150 debuted for Windows and macOS, suggesting that Google rushed it out as soon as the exploit was reported.
The backstory likely traces one of two paths:
- A direct report from an incident response team. A researcher or security firm spotted an active attack against iPhone users through Chrome, reverse‑engineered the exploit, and sent details to Google’s Project Zero or the Chrome Security Team. Google confirmed the bug, built a fix, and shipped it on an accelerated timeline.
- An internal discovery during routine fuzzing or code audit. Less dramatic, but entirely possible. In this scenario, Google might have found the flaw before any public exploit existed and still decided to suppress details to prevent copycat attacks.
The fact that Google withheld the reporter’s name and the technical description tilts the evidence strongly toward path #1. Past zero‑days — like CVE‑2021‑37973 from 2021, which targeted Chrome for iOS — were similarly documented with minimal information at launch, and only received full write‑ups after the update had saturated the user base.
Historically, Chrome on iOS sits inside a security sandbox imposed by Apple’s WebKit requirement. Apple forces all browsers on iOS to use its own WebKit engine, meaning Google has less control over the rendering engine than on desktop. This sometimes leads to bugs that straddle both Chrome and Safari. It’s too early to say whether CVE‑2026‑14028 is a pure Google‑side issue or an interaction with WebKit, but iOS‑only scope suggests either a sandbox escape specific to Chrome’s layer or a memory‑corruption bug inside the browser’s own code.
What to Do Now: A Step‑by‑Step Plan
- Update Chrome on every iPhone and iPad you own right now. App Store → account → pull‑to‑refresh → Update next to Chrome.
- Confirm the version. Menu → Settings → “Chrome 150.0.7871.47” should appear at the bottom.
- Turn on automatic updates if they’re off. Go to Settings → App Store → enable App Updates. This won’t retroactively fix today’s issue, but it will prevent future delays.
- Restart your device. It’s not strictly necessary, but a reboot ensures that any lingering in‑memory processes are replaced with the patched executable.
- If you manage a fleet of iOS devices, use your MDM to force install the update now. Set a compliance window of no more than 24 hours before flagging unpatched devices.
- Keep an eye on Google’s Chrome Releases blog. The company typically publishes a retrospective post detailing the bug’s technical details a few weeks after the patch ships. Once public, that information can help security teams understand detection opportunities.
What’s Next: Why This Patch Matters Beyond Today
CVE‑2026‑14028 is a reminder that mobile browsers are just as dangerous — and just as targeted — as desktop ones. For years, iPhone users enjoyed a reputation of safety, but recent surges in mobile‑first phishing and browser‑based exploitation have eroded that advantage. Google’s decision to hold back the technical write‑up means the public will likely get clarity in March or April 2026, possibly alongside a report from Google’s Threat Analysis Group if the exploit was used by a known nation‑state actor.
For now, the only smart move is to take the ten seconds needed to update Chrome on your iPhone. Zero‑day vulnerabilities don’t give you a second chance.