Google rolled out Chrome 150 on June 30, 2026, delivering a fix for CVE-2026-14015, a medium-severity race condition in WebRTC that could allow malicious websites to steal data across different origins. The vulnerability specifically affected Chrome on Windows, and the patch arrived with the stable channel release version 150.0.7871.47.
What changed in Chrome 150
The latest stable build of Chrome for Windows addresses a flaw in the browser’s WebRTC implementation. WebRTC, short for Web Real-Time Communication, powers peer-to-peer audio, video, and data sharing directly within the browser without plugins. It’s what lets you join a Google Meet call or share files over a web app.
CVE-2026-14015 describes a race condition—a classic concurrency bug where the timing or sequence of events affects the outcome. In this case, the race condition could be exploited to leak information from one origin to another, bypassing the same-origin policy that keeps websites isolated from each other. An attacker controlling a malicious site could potentially extract data from a legitimate site’s WebRTC session if the user visited both simultaneously.
Google classified the bug as medium severity, suggesting that exploitation was not trivial or the impact was limited. Still, cross-origin data leaks can expose authentication tokens, session identifiers, or other sensitive content. The fix is included in version 150.0.7871.47. The official Chrome release blog didn’t single out this CVE, but the update log confirms it as part of the security patches bundled with the release. According to the National Vulnerability Database (NVD), the vulnerability existed in Chrome for Windows prior to this version.
What it means for you
For home users
If you use Chrome on a Windows PC, update immediately. Cybercriminals are quick to reverse-engineer patches, and a working exploit could appear within days. While no active exploitation has been reported, the public disclosure via NVD puts the details in the open. Updating Chrome is simple and takes less than a minute. Once updated, the browser restarts and you’re protected. Chrome normally updates itself silently in the background, but manually checking doesn’t hurt.
For IT administrators
Enterprise environments must push this update across fleets now. Use your standard deployment pipeline—SCCM, Group Policy, or endpoint management tool. Download the latest Chrome MSI installer for Windows (version 150.0.7871.47 or newer) from Google’s enterprise download page and deploy it to all managed devices. Because this vulnerability is already public, delay increases risk. Consider temporarily disabling WebRTC via group policy if you cannot update quickly, though this may break real-time communication apps. The “Block WebRTC” policy can be set in Chrome’s ADMX templates, but test thoroughly before enforcement. Keep an eye on the Chrome enterprise release notes for any caveats. So far, no functional regressions have been reported.
For web developers
If your application uses WebRTC, this patch doesn’t introduce API changes. But it underscores the need to sanitize data and assume cross-origin leaks can happen if the browser has a flaw. Enforce strict isolation between origins and validate incoming WebRTC traffic. Consider using the crossOriginIsolated header and proper COEP/COOP policies to harden your site against side-channel attacks. If you maintain a WebRTC service, monitor Chromium’s issue tracker for any post-mortem analysis of CVE-2026-14015. Understanding the root cause can help you avoid similar pitfalls.
How we got here: A closer look at CVE-2026-14015
The timeline is unusual. The NVD published details of CVE-2026-14015 before Google’s patch, as indicated by the “after NVD publish” note. Typically, responsible disclosure sees a fix released first and the advisory published concurrently or shortly after. Here, the flaw became publicly known while still unpatched, increasing the urgency for Google to ship a fix.
The CVE was likely reported by an external researcher through Google’s Vulnerability Reward Program, though the reporter hasn’t been named. The race condition resides deep in WebRTC’s code, which handles real-time data flows with multiple threads. Such bugs are notoriously difficult to spot in testing because they depend on precise timing that may not surface in normal use. On Windows, differences in thread scheduling or memory handling might make the race condition exploitable where it wasn’t on other platforms.
Cross-origin data leaks violate the same-origin policy, a bedrock browser security mechanism. A malicious site could, for example, inject JavaScript to read data from a banking site’s WebRTC session if both are in open tabs. WebRTC has been an attractive target for years. Past issues have exposed local IP addresses, enabled remote code execution (CVE-2019-5786), and allowed denial-of-service attacks. Each new vulnerability reminds us that real-time communication protocols expand the browser’s attack surface.
What to do now: Update Chrome and stay safe
Here’s exactly how to verify and update Chrome:
- Open Google Chrome.
- Click the three-dot menu (⋮) in the top-right corner.
- Navigate to Help > About Google Chrome.
- Chrome will automatically check for updates and download any available.
- Once the download completes, click Relaunch to restart the browser.
After relaunching, revisit the About page to confirm the version reads 150.0.7871.47 or higher.
For managed environments, force an update through group policy by setting the update policy to “Always allow updates” or using Google Update’s enterprise controls. If you rely on legacy apps requiring an older Chrome version, isolate those to a dedicated VM and update the host browser immediately.
If you cannot update right away—perhaps you’re in the middle of critical work and can’t restart—you can take temporary precautions. Disabling WebRTC entirely eliminates risk from this specific bug, but may break functionality on sites like Google Meet, Microsoft Teams web, or Zoom web. Several Chrome extensions claim to toggle WebRTC, but the most reliable method is launching Chrome with the command-line flag --force-webrtc-ip-handling-policy=disable_non_proxied_udp to limit WebRTC to proxy connections. Still, updating remains the only sure solution. For Edge users on Windows, the Chromium-based browser typically receives security patches shortly after Chrome; watch for a corresponding Microsoft Edge update and apply it promptly.
Looking ahead: WebRTC security in Chrome
Chrome 150 is more than a security fix; it’s a scheduled major release with other improvements. Google’s rapid response—patching within days of the NVD publication—shows the Chrome security team can move quickly when public disclosure occurs out of band. However, the medium severity rating suggests the company doesn’t view this as a red-alert issue. Users should treat any data-leak vulnerability seriously.
More WebRTC-related patches will likely appear in future releases. As browsers add real-time capabilities like WebTransport and WebCodecs, the surface for race conditions expands. Google’s investment in sandboxing and site isolation helps contain exploits, but logical flaws persist. Enable automatic updates to stay ahead of the next vulnerability. IT admins should audit their update deployment processes—the window between disclosure and exploitation is shrinking.