Google disclosed a medium-severity vulnerability in Chrome’s MediaCapture feature on June 30, 2026, that could let remote attackers trick users into granting camera or microphone access through a spoofed permission prompt. The fix, bundled in version 150.0.7871.47, is rolling out to Windows, Mac, and Linux users and should be installed immediately to prevent website-based scams that hijack the browser’s own security indicators.

Chrome 150.0.7871.47 Ships a Quiet but Critical UI Fix

The vulnerability tracked as CVE-2026-13985 affects Chrome’s implementation of the MediaCapture API—the mechanism websites use to request access to your camera and microphone. According to Google’s official advisory, a remote attacker who has already lured a user into a compromised state can craft a fake browser dialog that mimics legitimate permission prompts. The spoofed UI would show convincing-looking camera or mic authorization boxes, tricking users into clicking “Allow” when they think they’re interacting with Chrome’s own security controls.

The flaw was classified as “medium” severity rather than critical because it requires some level of prior user interaction or browser compromise before the attacker can launch the UI spoof. However, medium doesn’t mean mild—social-engineering attacks that abuse the browser’s own presentation layer are notoriously effective, and the camera/mic permissions are among the most sensitive personal data points a website can access.

Chrome 150.0.7871.47, released on June 30, 2026, is the first version to include the patch. Google stated that it “knew of no active exploitation in the wild” at the time of disclosure, but the public CVE details give attackers a blueprint, so delaying the update is risky.

The Real-World Risk for Windows Users on Every Chromium Browser

This isn’t just a Chrome problem. Any browser built on Chromium—Microsoft Edge, Brave, Opera, Vivaldi, and countless electron-based desktop apps—could inherit the same MediaCapture vulnerability if they haven’t yet backported the fix. Edge, in particular, typically follows Chrome’s stable releases within a day or two, but it’s worth checking your Edge version isn’t lagging behind.

The attack scenario on Windows is especially dangerous because many users rely on Chrome or Edge for video calls, streaming, and telehealth, often granting camera access to trusted sites without a second thought. A spoofed prompt could appear over a legitimate site, making it nearly impossible to discern the fake from the real. Once camera access is granted, an attacker could capture video feeds, snapshots, or even use the microphone to eavesdrop—all without the user realizing they’ve been duped.

For IT administrators managing fleets of Windows devices through Group Policy or Intune, this CVE underscores the need for automated update enforcement. The medium severity might dodge emergency patches, but the risk of social engineering makes it a priority for any organization with endpoints handling confidential video meetings.

Developers who rely on the getUserMedia() API should double-check that their web applications don’t inadvertently make users more susceptible to spoofing. The vulnerability wasn’t in the API itself but in how Chrome rendered the permission prompt, so developers don’t need to change their code—but they should encourage users to stay updated.

How MediaCapture Spoofing Works—and Why Browsers Still Get Fooled

The MediaCapture API is a core part of modern web apps. When a site like Zoom or Google Meet requests camera access, Chrome displays a distinctive pop-up asking the user to allow or block. This prompt is rendered by the browser’s native UI, not by the webpage, so it should be immune to manipulation. CVE-2026-13985 shows that barrier can break.

While Google hasn’t shared deep technical details (to protect users still updating), security researchers explain that UI spoofing attacks often exploit race conditions or rendering bugs that let a malicious site overlay its own fake prompt on top of the real one. The fake can be pixel-perfect, including logos and button styles, but the actual “Allow” click gets intercepted by the attacker’s script. In some variants, the spoofing could be triggered by a pop-under window or a full-screen transition that momentarily confuses Chrome’s rendering pipeline.

What makes this CVE notable is its target: the user’s trust in the browser. For years, Chrome has trained users to trust the permission prompt as a gatekeeper. Cracking that trust opens a direct path to the camera and mic—permissions that can be exploited for blackmail, corporate espionage, or unlocking biometric security on other platforms.

The Path to CVE-2026-13985: Chrome’s Ongoing UI Integrity Battle

UI spoofing vulnerabilities are a recurring theme in Chrome’s security history. In 2024 and 2025 alone, Google patched at least half a dozen CVEs related to fullscreen transitions, input overlays, and notification spoofing. The MediaCapture API had its own scare in late 2025 when a bug allowed sites to enumerate available cameras without showing any permission prompt at all—a far stealthier bug than this one.

CVE-2026-13985 was discovered by an external researcher through Google’s bug bounty program, though the company hasn’t publicized the finder’s name or the reward amount. The vulnerability took roughly three weeks from internal discovery on June 9 to a stable channel fix on June 30, which is a typical turnaround for a medium-severity issue.

The fact that Chrome 150 rolled out with other features—like enhanced memory saver modes and new PDF annotations—likely helped this security fix fly under the radar. As a mid-cycle update, it didn’t get the same press as a major release, but for Windows users, the security payload is far more important than any cosmetic change.

Updating Chrome Right Now—and What Admins Need to Do

For Home Users on Windows:
1. Open Chrome, click the three-dot menu > Help > About Google Chrome.
2. Chrome will automatically check for updates and download the latest version.
3. If the version number is 150.0.7871.47 or higher, you’re protected. If not, click “Relaunch” after the update downloads.
4. Verify against the CVE: Go to chrome://settings/help and confirm the version. If an update is pending, restart the browser.

For Managed Environments (Windows Enterprise/Education):
- Use your standard software deployment tool (Microsoft Intune, SCCM, PDQ Deploy) to force-install Chrome 150.0.7871.47. The MSI installer is available on Google’s enterprise download page.
- Check Edge separately: The same vulnerability exists in pre-fixed Edge builds. Update via Windows Update or the Edge browser itself (Settings > About Microsoft Edge).
- Review Group Policy settings to ensure Chrome updates aren’t blocked. Many organizations freeze browser versions for compatibility testing—lift that freeze for this patch.
- Monitor for any unusual camera access logs in Windows Event Viewer or your EDR platform. While exploitation was unknown on June 30, it’s now public knowledge.

For Chromium-Based App Developers:
- Rebuild installers for your Electron or CEF-based desktop apps with the latest Chromium bits (aligned with Chrome 150 stable).
- If your app uses the MediaCapture API, inform users that updating your app also patches the UI spoofing risk.

Beyond This Patch: Chrome’s Ongoing Battle Against Scripted Trickery

Google’s quick fix for CVE-2026-13985 is just one chapter in a longer struggle. The MediaCapture working group is still debating stricter UI guidelines that would make spoofing harder—such as requiring a prolonged delay before prompts appear, using non-skippable animations, or embedding the calling site’s origin more prominently. Some proposals have been criticized for adding friction to legitimate use, but a spoofing bug this clean could reignite that debate.

For Windows users, the takeaway is clear: browser patches are your first and best defense against social-engineering scams that turn the browser’s own UI against you. Automatic updates are your friend. And any time you see a camera or mic prompt pop up unexpectedly, pause—close the tab, update Chrome, then revisit.

Google says the next Chrome release, version 151, will include further hardening of the permission prompt rendering stack, though it’s too early to tell if that’s a direct response to this CVE or business as usual. Either way, staying on the bleeding edge of stable channel updates remains the smartest move for Windows users who want to stay one step ahead of attackers who’ve learned that the browser’s own front door can sometimes be picked open.