Google shipped an urgent update for Chrome on Wednesday, version 150.0.7871.47, plugging a vulnerability that let attackers bypass the browser’s site isolation defenses if they first compromised a renderer process. The flaw, tracked as CVE-2026-13806, stemmed from an accessibility feature that incorrectly exposed data across different websites. Anyone still running an earlier build of Chrome should update immediately.

The Patch: Chrome 150.0.7871.47

The update is available now for Windows and Mac users through Chrome’s built-in autoupdate mechanism, or via a manual check under Help > About Google Chrome. The update addresses a single security issue that Google deems important enough to push a standalone release. Linux and mobile versions of Chrome were not listed among the affected platforms in Google’s initial advisory.

According to Google’s disclosure, the vulnerability was internal in its classification, meaning the company’s own security researchers or a trusted external party found it before any malicious exploitation could be detected in the wild. The severity rating is high, reflecting the potential for an attacker to read sensitive data from any website a victim is logged into — even if those sites are unrelated and loaded in separate tabs.

How the Vulnerability Worked

To understand the threat, you need to know a little about Chrome’s site isolation architecture. The browser runs each website in its own renderer process, essentially creating a sandbox so that a compromise in one tab cannot spill into another. This design was originally hardened to combat speculative execution attacks like Spectre, but it has become a cornerstone of Chrome’s security model. If a malicious script finds a way to escape the JavaScript engine and execute arbitrary code inside the renderer process, it is still trapped inside that process’s sandbox and cannot directly read data from other sites.

Accessibility features, however, pose a unique challenge. Screen readers and other assistive technologies often need to aggregate information from multiple browser processes to present a coherent view of the page. To support this, Chrome exposes an accessibility API that can, under specific conditions, reach across process boundaries. In the vulnerable versions prior to 150.0.7871.47, the API’s access controls were not sufficiently strict. A compromised renderer process could exploit this weakness to siphon data from other isolated renderers. In practical terms, an attacker who first gained a foothold — via a separate memory corruption bug, for instance — could then use this secondary flaw to read your webmail, bank balances, or corporate documents open in another tab.

Crucially, the attacker must already have code execution inside a renderer. This means CVE-2026-13806 is not a remote code execution bug on its own; it is a privilege escalation within the browser that breaks the site isolation guarantee. For end users, the immediate risk depends on whether the attacker can pair this flaw with a separate renderer compromise.

Who Is Affected and What’s the Real Risk?

For everyday users: If you let Chrome update automatically, you are already protected once you restart the browser. The risk for the average person is low because it requires a two-step attack: first a renderer compromise, then the site isolation bypass. Still, malvertising campaigns and watering-hole attacks sometimes chain multiple exploits, so never delay browser updates.

For power users: If you manually manage Chrome or use extensions that run in the renderer process — content blockers, password managers, script injectors — your attack surface may be slightly larger. Verify that site isolation is fully enabled. Type chrome://flags#site-isolation-trial-opt-out in the address bar and ensure the setting is set to “Enabled” or “Default.” Most modern Chrome builds have site isolation on by default, but enterprise policies or legacy configurations might have disabled it.

For IT administrators: In a corporate environment, this vulnerability is a significant concern. A single user’s browser compromise could expose session cookies and data from internal web applications, potentially leading to lateral movement. Deploy the update through Google Update group policies or an enterprise software management tool as soon as possible. Additionally, check your fleet for any web apps that rely on iframes with cross-origin content — those are the exact scenarios site isolation is meant to protect, and a bypass would undermine them completely.

For users of other Chromium browsers: Microsoft Edge, Brave, Opera, and others share a common codebase with Chrome. At the time of writing, Google has not explicitly stated whether the Chromium project released a patch to other vendors ahead of its own disclosure. But typically, these browsers incorporate security patches within a day or two. Check each browser’s update mechanism and be on the lookout for new versions.

A Brief History of Site Isolation and Its Bypasses

Chrome began enforcing strict site isolation in 2018 with Chrome 63, largely as a response to the Spectre and Meltdown vulnerabilities that threatened to break the assumptions behind same-origin policy enforcement. Over the years, Google has steadily increased site isolation coverage, covering more content types and extension pages. Despite the robust architecture, the complexity of rendering, process management, and accessibility integration has given rise to several bypasses.

In 2019, CVE-2019-5786 allowed a compromised renderer to escape into the browser process via the FileReader API, leading to full system compromise. More recently, in 2021, CVE-2021-21182 was another site isolation bypass tied to payment handler logic. The common thread is that any mechanism that bridges isolated processes must be meticulously audited, and accessibility APIs have repeatedly surfaced as a weak point. The very nature of assistive technology — needing to assemble cohesive information from separate security contexts — puts it at odds with strict isolation. Google’s engineering teams have historically responded by refactoring these interfaces to enforce access checks, and this latest patch is yet another link in that chain.

Your Action Plan: Updating and Hardening Chrome

  1. Update Chrome now
    Open the three-dot menu in the top-right corner, choose Help > About Google Chrome. The browser will check for updates and automatically download and install 150.0.7871.47. Click “Relaunch” to complete the process.

  2. Verify the version
    After the relaunch, go back to About Google Chrome and confirm the version number reads 150.0.7871.47 (or higher). If you see an earlier version, repeat the update process or download the latest installer directly from google.com/chrome.

  3. For enterprise deployments
    Use Google Update administrative templates to force an immediate update. Set the ApplicationVersion policy to target 150.0.7871.47, or rely on the automatic update interval you have configured. After deployment, audit your endpoints using a tool like Chrome’s browser management console or a third‑party endpoint management solution to confirm the patch level.

  4. Double-check site isolation
    While site isolation is enabled by default today, some environments may have it disabled for performance reasons. Visit chrome://process-internals and look at the “Site Isolation Mode” entry. It should say “Strict” or “Enabled.” If it says “Disabled,” you can re-enable it by navigating to chrome://flags#site-isolation-trial-opt-out and setting it to “Enabled,” or by configuring the SitePerProcess policy in your admin templates.

  5. Consider additional hardening
    For sensitive work, you can enable Chrome’s “Enhanced security” mode under Settings > Privacy and security > Security, choosing the “Keep you more secure” option. This enables additional protections like disabling JavaScript on potentially dangerous sites, but it is not a direct mitigation for this bug.

What Comes Next

Google typically withholds technical deep-dives for a few weeks to give users time to update, so expect a more detailed write-up on the Chrome Releases blog or the Chromium security page around the end of the month. At the moment, there are no public reports of active exploitation, but a site isolation bypass is a high-value target for sophisticated attackers — particularly those involved in targeted phishing or watering-hole operations. As always, the best defense is a patched and properly configured browser. Keep an eye on the Chrome Releases blog for any additional fixes or adjustments related to this vulnerability.