Google shipped an urgent fix for a flaw in Chrome’s developer tools that could hand a remote attacker snippets of your browser’s memory. The vulnerability, cataloged as CVE-2026-13961, was closed in Chrome 150.0.7871.47 for Windows. A crafted web page combined with a few specific clicks inside DevTools was all it took to trigger the leak.
What got patched
The weakness lived somewhere in the memory-inspection component of DevTools — the same pane you open with F12 to debug performance or hunt down memory leaks. According to Google’s advisory, a remote attacker could serve a malicious HTML page that, after a victim performed “specific user interface gestures” inside DevTools, would disclose potentially sensitive information from the browser’s process memory. The company rated the issue High severity and credited an external researcher who reported it through the Chrome Vulnerability Rewards Program.
Chrome 150.0.7871.47 began rolling out on February 18, 2026, and the bulletin confirms that the fix is specific to the Windows build. Mac, Linux, and Android users are not affected by this particular flaw.
Why you should care
For most people who never open DevTools, the direct risk is slim: the attack requires that you actively invoke the developer panel on a dodgy page and then click or interact in a certain way. But for web developers, QA engineers, and anyone who keeps DevTools pinned to a second screen, the threat is more concrete. An attacker could craft a page that asks you to “check the console for a special offer” or pose as a technical support page that walks you through a sequence of keypresses. Once you comply, the leaked memory could contain passwords, cookies, authentication tokens — potentially even data belonging to other open tabs if Chrome’s site isolation didn’t catch every boundary.
Because the bug is information disclosure, not remote code execution, an attacker still needs to exfiltrate whatever they’ve stolen. But that’s a low bar: the same crafted page can send the data home via a simple network request.
Home users
Keep auto-update turned on. When the blue “Update” button appears in the top‑right corner of Chrome, click it, or restart the browser to apply the patch silently. Avoid opening DevTools on sites you don’t trust — and if a site you’ve never visited asks you to press F12, close the tab.
IT administrators
Push the update as soon as possible through your usual deployment channel — Group Policy, SCCM, or a managed browser policy. The fixed version is 150.0.7871.47; any earlier build for Windows is vulnerable. If your organization blocks automatic updates, now is the moment to manually approve this release. Remind employees, especially those in development or testing roles, not to open DevTools on unverified pages, even during training sessions or troubleshooting.
Developers and power users
You’re the most likely target. Malicious sites that mimic development tools or exploit curiosity (“check out this performance trace!”) are the attack vector of choice. While the patch eliminates the underlying bug, consider limiting DevTools usage to sites you’ve explicitly vetted. A blunt but safe shortcut: right‑click the tab before pressing F12 and confirm the domain is one you recognize.
How we got here
DevTools has always been a double‑edged sword: it exposes deep internals of the browser to aid debugging, so any flaw inside it carries extra weight. The Chrome team has patched several DevTools‑related bugs in the past three years — CVE‑2024-4321, for instance, let a malicious extension eavesdrop on DevTools traffic, while CVE-2025-1208 allowed local file disclosure if the console was open. Each fix tightens the sandboxing between the inspected page and the tooling.
CVE‑2026-13961 was uncovered by a researcher whose name Google typically withholds until the reward process concludes. The bug report landed in late January 2026, and the patch was built, tested, and shipped in under four weeks — a turnaround that reflects the seriousness Google assigned to it. The company’s commitment to rapid disclosure means attackers now have a reverse‑engineering blueprint, which is why the update is urgent.
What to do right now
- Check your version. Click the three‑dot menu → Help → About Google Chrome. If the version string reads 150.0.7871.47 or higher, you’re protected. If it’s lower, Chrome will begin downloading the update immediately.
- Restart the browser. The update won’t take effect until all Chrome windows are closed and reopened. Any tabs you had open will restore automatically.
- Verify on managed devices. In enterprise environments, confirm the update has deployed by opening the same About page on a test machine. Force a checkin through your management console if needed.
- Report suspicious pages. If a site asks you to open DevTools under unusual pretenses, report it through Chrome’s Safe Browsing mechanism (Menu → Help → Report an issue).
No workaround is available short of disabling DevTools entirely — an option you can enforce via policy for high‑security environments where developers rarely need the tooling:
- Open Group Policy Editor.
- Navigate to Computer Configuration → Administrative Templates → Google Chrome.
- Enable the policy titled “Disable Developer Tools” (also available for Google Update policies).
- If you use a different management product, apply the corresponding plist/JSON setting.
Disabling DevTools blocks the attack vector completely but rips a critical tool out of developers’ hands. For most users, simply updating is enough.
What’s ahead
Google’s advisory calls this a “partial fix,” suggesting the underlying issue may have deeper roots that will be addressed in a follow‑up release. Meanwhile, Microsoft’s own Edge browser — built on the same Chromium engine — will likely release an equivalent patch within days, as it has for past DevTools vulnerabilities. Watch for an update to Edge Stable and Edge Dev channel notes.
The episode reinforces a rusty but stubborn truth: the tools that help us build the web can also be the ones that undo our privacy. With browser vendors adding ever more powerful debugging features — from CSS overview panels to real‑time memory snapshots — the attack surface inside DevTools will keep expanding. Keeping your browser on auto‑update and raising your guard when the F12 pane is open remain the simplest defenses.