Google shipped an urgent update for Chrome on Monday, closing a CSS-based side-channel vulnerability that could allow remote attackers to steal sensitive cross-origin data from embedded web pages. The flaw, tracked as CVE-2026-14085, affects Chrome 150 for Windows and macOS, and although rated low severity, it represents a subtle yet dangerous breach of the browser’s same-origin policy.
A bug that broke the browser’s isolation walls
Chrome 150.0.7871.47 arrived on June 30, 2026, with a single patch note that security-conscious users shouldn’t ignore. The update addresses a CSS side-channel information leak in Chromium’s rendering engine. In plain terms, a malicious website could exploit the way Chrome processes Cascading Style Sheets to infer the content of a cross-origin iframe—a web page from a different domain embedded inside the attacker’s page.
Side-channel attacks in browsers are not new, but they remain particularly insidious because they don’t rely on direct code injection. Instead, they measure indirect effects—in this case, timing differences triggered by CSS rules. Researchers have long warned that CSS can be weaponized for data theft through techniques like CSS injection or complex DOM probing. The attacker crafts a page with an iframe pointing to, say, your online banking portal. By applying specific CSS selectors and measuring how long the browser takes to render or repaint the page, the attacker can deduce whether certain text—like "Logout" or portions of a CSRF token—appears inside the iframe. Over time, those tiny bits add up to a complete data exfiltration.
Google hasn’t released the full technical details yet, but the Chromium bug tracker describes CVE-2026-14085 as a low-severity issue with a CVSS score of 3.1. Despite the low rating, the ability to sidestep cross-origin boundaries gives it an outsized importance. The vulnerability resides in the way Chromium’s CSS parsing interacts with the browser’s security checks. By toggling CSS properties and analyzing render times, an unauthorized script could harvest content that same-origin policy is supposed to lock away.
What this means for you
For everyday users, the practical risk is limited—but not zero. An attacker still needs to trick you into visiting a specially crafted malicious site while you’re logged into a targeted service in another tab or window. The data leakage is slow and incremental, potentially requiring hundreds of page loads to extract a single meaningful string. However, short, high-value tokens like password reset links or one-time codes are exactly the kind of prey these attacks hunt. If you’re a routine updater, Chrome’s silent auto-patch will have already handled the fix; if you manually update, jump to version 150.0.7871.47 or newer right away.
IT administrators managing corporate fleets should push this update promptly. The low severity might lull teams into a slower rollout, but the nature of the bug—leaking cross-origin data—makes it a privacy and compliance risk in environments where employees handle sensitive customer data via browser-based dashboards. Confirm that your endpoint management tool is deploying Chrome 150.0.7871.47 across Windows and Mac devices, and verify that the update landed by checking chrome://version.
Web developers need to be aware that the same-origin policy isn’t foolproof. This CVE underscores that even CSS, historically seen as a presentation-only layer, can be co-opted into a surveillance tool. Review your Content Security Policy headers to ensure they’re as tight as possible, and consider using Frame-Options or X-Frame-Options to control embedding, though those headers won’t block a side-channel attack alone. The real defense is the browser patch, but defense-in-depth never hurts.
How we got here
Side-channel attacks burst into public consciousness with Spectre and Meltdown in 2018, but CSS-based probing has a longer, quieter history. As early as 2002, researchers demonstrated that CSS visited-link styles could leak browsing history. By 2018, novel techniques using CSS mix-blend modes and SVG filters were shown to steal text from same-origin pages. The steady stream of related CVEs—CVE-2019-5825, CVE-2020-15987, CVE-2021-37975—tracks a cat-and-mouse game between browser vendors and researchers.
Chrome 150, released in late June 2026, had already shipped with dozens of security fixes in its initial stable version. CVE-2026-14085 is the first post-release patch for the 150 branch, indicating it was discovered after the initial rollout—possibly through Google’s own internal fuzzing or a bug bounty submission. Google’s policy is to withhold technical details until a majority of users have updated, which is why the advisory remains vague. The Chrome release blog entry for this version simply notes, “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” without naming names. That credit will likely appear in a later update once the embargo lifts.
The low severity rating might seem at odds with the cross-origin data exposure, but CVSS scoring often punishes complexity and prerequisites. This attack requires significant user interaction (visiting a malicious site) and a specific browsing context (a logged-in session on the targeted domain), which depresses the score. Nonetheless, its potential to erode the fundamental trust boundary of the web makes it a must-fix.
What to do now
The remedy is straightforward: update Chrome immediately.
- Check your current version. Open Chrome, click the three-dot menu → Help → About Google Chrome. The version number appears at the top.
- If you see anything lower than 150.0.7871.47, click “Update Google Chrome.” If you don’t see that button, the browser will download the update automatically and prompt a relaunch.
- Relaunch Chrome. All your tabs should restore, but save any work in web apps beforehand to avoid data loss.
- For enterprise deployments, the MSI and PKG installers for Windows and Mac (respectively) are available on the Chrome Enterprise download page. Use your standard patching pipeline to roll out the update, and consider enabling Chrome’s legacy browser support mode if you have internal apps that are slow to certify new browser versions.
There are no known workarounds or configuration changes that block this attack. It’s a bug in the browser’s core, so only the patch eliminates the risk. Disabling JavaScript wouldn’t help, as the technique relies on CSS parsing timing, not script execution.
What to watch next
Once the embargo period ends, expect a detailed write-up from the Google Project Zero team or the external researcher who reported the flaw. Those technical analyses often include proof-of-concept code that security teams can use to test their own defenses—and that attackers might adopt. If the CSS side-channel vector proves easily weaponizable, browser vendors may accelerate efforts to deprecate or restrict features like CSS :visited pseudo-class or certain timing-sensitive filter functions.
More immediately, keep an eye on Chrome’s Stable channel updates. The 150 branch will receive incremental patches over the coming weeks, and if similar side-channel issues are discovered, they’ll land in those releases. For now, the best posture is the simplest: let Chrome update itself, restart when prompted, and treat June 30’s changelog not as background noise but as a small yet critical stitch in the web’s security fabric.