Google released an urgent Chrome update on June 30, 2026, plugging a permissions UI spoofing hole that attackers could exploit to silently hijack camera, microphone, or location access. The stable channel update to version 150.0.7871.47 for Windows, Mac, and Linux addresses CVE-2026-13996, a medium-severity flaw that lets a remote attacker craft a malicious page mimicking the browser’s own security prompts.
Unlike typical phishing tricks, this spoofing attack manipulates the actual permissions interface that Chrome paints—meaning even cautious users could be fooled into clicking “Allow” on a dialog that looks identical to the real thing. Users who haven’t updated should do so immediately; administrators managing fleets of browsers should treat this as a priority patch.
The Vulnerability: How Attackers Can Spoof Chrome’s Permissions UI
The core problem, as described in the CVE disclosure, is a flaw in how Chromium renders the permissions dialog. By crafting a specially designed webpage, an attacker can overlay or mimic the security UI that normally appears when a site requests access to sensitive hardware or data—camera, microphone, location, notifications, or even USB devices.
When a legitimate site asks for your camera, Chrome shows a clear, non-spoofable dialog with the site’s origin and a block/allow choice. That dialog is supposed to be rendered in an isolated layer that web content cannot touch. CVE-2026-13996 breaks that isolation, allowing a malicious page to present a fake dialog that the user might not distinguish from the real one. The technical details remain under wraps while users patch, but the advisory explicitly states the attack works with a “crafted HTML page,” meaning it can be delivered entirely through a compromised or malicious website—no software install required.
The severity rating sits at “medium,” not because the impact is low, but because exploitation requires user interaction (clicking “Allow” on a spoofed dialog). That said, UI redressing attacks like this have a long history of effectiveness; users have been conditioned to click through permissions prompts, and a well-timed fake can capture sensitive grants before anyone suspects foul play.
What’s at Stake for Home Users and Enterprise Admins
For everyday users, the immediate risk is unauthorized access to the most personal sensors on your device. An attacker who tricks you into granting camera permission can silently record video; microphone access enables eavesdropping; location tracking can pinpoint your physical whereabouts. Because the permission grant looks legitimate, Chrome will continue to allow the attack page to access these sensors until you manually revoke the permission in settings—and most users never check.
For enterprise administrators managing Chrome through Group Policy or endpoint management, this vulnerability highlights a larger challenge: UI spoofing can bypass organizational policies that restrict permissions to an allowlist. If an employee is tricked into granting camera access to a malicious domain, that domain can then stream video even if your policy blocks unknown sites. The fix is straightforward—deploy the update—but the incident serves as a reminder that technical controls must be paired with user education.
Power users and developers should also note that the flaw could be chained with other exploits. If an attacker can first spoof a permissions dialog, they might then exploit a separate bug in the camera or microphone API to execute code or exfiltrate data. While no such chaining has been reported for this CVE, the history of Chromium vulnerabilities shows that UI spoofing often acts as a stepping stone.
How We Got Here: A History of UI Redressing in Chrome
Chrome has battled spoofed interfaces for over a decade. The browser’s architecture deliberately separates the rendering of security-critical UI from web content—a concept known as “privileged UI.” The address bar, permission prompts, and certificate warnings are drawn by the browser chrome itself, not by HTML or JavaScript from the page. This makes it theoretically impossible for a site to draw over or modify those elements.
But theory and practice often diverge. Over the years, attackers have found creative ways to circumvent these protections:
- In 2018, CVE-2018-6057 was patched after researchers demonstrated a way to overlay a fake permission prompt on top of the real one using CSS and iframes.
- In 2020, CVE-2020-6519 allowed a malicious site to intercept input meant for a full-screen permission prompt, effectively forcing a grant.
- In 2023, a series of “tab-under” bugs tricked users into granting permissions while thinking they were interacting with a different site.
Each time, the fix involved tightening the rendering pipeline or adding new anti-spoofing checks. CVE-2026-13996 is the latest in this lineage, showing that despite Chrome’s engineering investment, the cat-and-mouse game continues. The timing of this patch—just days after the Chrome 150 milestone rolled out—suggests it was discovered post-release and rushed through the vulnerability disclosure process. Google’s advisory credits an anonymous external researcher for the report, though details remain sparse as the fix propagates.
What to Do Now: Update Chrome Immediately
The single most important action is to ensure Chrome has updated to version 150.0.7871.47 or later. The browser checks for updates automatically, but you can force an update right now:
- Open Chrome and click the three-dot menu in the top-right corner.
- Go to Help > About Google Chrome.
- Chrome will check for updates. If an update is available, it will start downloading automatically.
- Once the download completes, click Relaunch to finish.
After updating, verify the version by heading back to the About page. It should read 150.0.7871.47 or higher. If you don’t see that number, the update may not have reached your region yet—keep checking every hour.
For enterprise deployments, use your standard patch management tool to push the latest MSI or PKG installers from the Chrome Enterprise download page. Group Policy templates do not need to change; the fix is entirely within the browser executable. Administrators should also check the GCP console for any Chrome Browser Cloud Management reports that might indicate compromised devices.
If you suspect you’ve already fallen victim to this or a similar spoofing attack, review your current permission grants:
- Click the lock icon or “tune” icon in the address bar.
- Select Site settings.
- Look for any unexpected sites with camera, microphone, or location set to “Allow.”
- Remove any you don’t recognize.
For additional peace of mind, consider resetting all site permissions to default: go to Settings > Privacy and security > Site settings and scroll down to “View permissions and data stored across sites.” There you can clear all permissions in one go, though you’ll need to re-grant them to trusted sites later.
Outlook: What to Watch Next
This patch is unlikely to be the last word on UI spoofing in Chrome. The Chromium security team continuously refines the browser’s rendering isolation, but each new feature—picture-in-picture, sub-frame permissions, web portal overlays—introduces fresh attack surface. Users should expect further security updates in the coming weeks as the underlying class of bugs gets scrutinized. For now, the immediate threat is contained: update Chrome, verify the version, and stay vigilant against any unsolicited permission prompts, especially on unfamiliar sites.
Google has not indicated whether this flaw has been exploited in the wild, and no proof-of-concept code has been publicly released as of the patch date. However, the usual pattern is for exploits to surface within days of a patch, so timely updating is critical. Keep an eye on the Chrome Releases blog for any late-breaking guidance on this CVE.