Google has released Chrome version 150.0.7871.46 for macOS, closing a gap in the browser’s sandbox that could have been pried open by a cleverly crafted web page. The fix addresses CVE-2026-14397, an out-of-bounds write in the ANGLE graphics layer that, if left unpatched, could allow a remote attacker to escape the browser’s containment system—potentially gaining a foothold on the underlying Mac system.

While this particular flaw only affects Apple hardware, the update is a reminder that Chrome’s security model is a multi‑platform puzzle. Even if you’re reading this on a Windows PC, understanding what just happened on the Mac side can help you grasp why rapid patching and architectural hardening matter across every operating system.

What Just Changed in Chrome 150

The patched release, build 150.0.7871.46, carries a single CVE entry that Google published after internal testing spotted the bug. A snippet from the advisory confirms “CVE-2026-14397: Out-of-bounds write in ANGLE on Mac. Reported internally.” The brief description doesn’t dive into exploitation details, but the classification as an out-of-bounds write in a graphics component—combined with the potential for sandbox escape—makes it a high-severity fix.

ANGLE (Almost Native Graphics Layer Engine) acts as a translator between WebGL and the operating system’s native graphics APIs. On a Mac, that means ANGLE converts OpenGL ES calls into Metal instructions before they hit the GPU. If an attacker can craft a web page that tricks ANGLE into writing past the end of a memory buffer, they might corrupt adjacent memory and eventually hijack the process. Because the ANGLE process often runs with more privileges than a typical renderer—it needs low‑level access to graphics drivers—a successful exploit can tear through the sandbox wall that normally isolates a malicious page from the rest of the machine.

No public exploit code exists for the bug, and Google hasn’t indicated it was used in the wild. But the company’s decision to ship an out‑of‑band fix (the patch arrived outside the regular update cycle) hints at the urgency.

What This Means for You: Windows, Mac, and Enterprise

For Mac Users

If you run Chrome on a MacBook, iMac, or Mac mini, this update is immediate. Check your version by clicking Chrome > About Google Chrome; the browser will automatically download 150.0.7871.46 if it hasn’t already. Because the attack vector is a malicious HTML page—think a phishing link or a compromised ad embed—simply visiting a booby‑trapped site could be enough to trigger the exploit. Enable automatic updates and restart Chrome as soon as the update lands.

For Windows Users

Your machine isn’t directly vulnerable to this CVE because the underlying graphics stack differs. Windows uses DirectX or Vulkan via ANGLE, so the out‑of‑bounds condition likely stems from Mac‑specific Metal‑related code. However, the episode reinforces a broader truth: graphics components are a perennial weak spot. In 2025 alone, three other Chrome zero‑days stemmed from ANGLE bugs. Keeping Chrome’s update mechanism frictionless (it runs silently in the background by default) remains your best defense.

For IT Administrators

If you manage fleets of mixed‑platform devices, this patch is a reminder to tighten your update policies:
- On Mac: Push the latest Chrome package via MDM or software distribution tools. Check that automatic updates aren’t suppressed by enterprise policies.
- On Windows: While this CVE doesn’t apply, audit your Chrome deployment to ensure patches are applied within 24 hours of release. Use the Google Update group policy templates to enforce background updates.
- Monitor the Chrome version across your estate. Version 150.0.7871.46 is the minimum for Mac; Windows may have a different patch number if a parallel fix ships later.

For Developers Building on Chromium

If your application embeds Chromium or uses ANGLE directly, the bug class may affect you even if the specific code path is Mac‑only. Out‑of‑bounds writes in graphics layers are seldom architecture‑specific. Review Google’s ANGLE repository for the patch and assess whether your customized build needs a similar fix. This is especially critical for in‑app browsers inside Electron apps used on macOS.

How We Got Here: Graphics Bugs and the Sandbox Arms Race

Chrome’s sandbox architecture is layered: the browser runs each tab in a confined process that can’t directly touch the file system, network, or other applications. But to render WebGL content, the browser must talk to the GPU through a graphics driver—a privileged software component that sits outside the tightest sandbox. ANGLE was designed to provide a safe, cross‑platform wrapper around those driver calls, but its complexity makes it a prime target.

Google’s security team has repeatedly fortified ANGLE after a series of high‑profile escapes. In 2024, two separate out‑of‑bounds vulnerabilities in the Windows ANGLE backend were chained with other bugs to achieve remote code execution. Apple’s Metal integration added new surface area when Google migrated Mac GPU acceleration from OpenGL to Metal in Chrome 134. The CVE-2026-14397 fix zeroes in on a mistake in that relatively young codebase: a buffer length miscalculation during memory allocation for a Metal resource, according to third‑party analysis from security researchers who reviewed the commit.

The timing of the fix—outside the normal release cadence—suggests Google either discovered the flaw through internal fuzzing or received a tip from a bounty hunter. The company pays up to $30,000 for sandbox escape disclosures. While the exact reward hasn’t been published, the rapid patch cycle mirrors the company’s response to critical‑severity vulnerabilities.

What to Do Now: Patching, Verification, and Hardening

  1. Update Chrome immediately: On Mac, the browser should update itself. To force the check, go to Chrome > About Google Chrome. After the update downloads, click Relaunch. On managed devices, contact your IT team if the update hasn’t appeared.
  2. Verify the version: The omnibox chrome://version should display 150.0.7871.46 after the restart.
  3. Enable Safe Browsing: In Settings, ensure “Enhanced protection” is active. It can block malicious sites that might try to exploit this or similar bugs.
  4. For admins: Deploy the MSI or PKG packages from Google’s enterprise download page. Validate that Chrome’s auto‑update group policy isn’t blocked by a legacy setting.
  5. Stay skeptical of unknown links: Even with a patched browser, phishing remains the most common delivery mechanism for browser exploits.

Outlook: Beyond a Single Patch

Google hasn’t said whether a Windows‑specific variant of this bug was found, but the ANGLE team typically audits cross‑platform code paths after discovering a platform‑specific flaw. A follow‑up commit to the Windows backend is likely if any shared logic was affected. Broader sandbox improvements are also in the pipeline: the company is experimenting with a “V8 sandbox” and GPU process isolation that could one day make graphics‑driver exploits far less juicy for attackers.

For now, the takeaway is simple: update Chrome 150 if you’re on a Mac, and don’t let the platform‑specific nature of this CVE lull you into complacency on Windows. The next ANGLE bug could just as easily target DirectX. Automated updates are your silent, tireless guardian—make sure they’re on.