Google pushed Chrome 150.0.7871.47 to the stable channel for Windows and Mac on June 30, 2026. The update patches a single security flaw: CVE-2026-13890, a medium-severity out-of-bounds read in the browser’s Chromecast component. The bug could let attackers peek at sensitive data from other tabs or crash the browser.

What the update actually fixes

Chrome 150.0.7871.47 is a narrowly focused security release. The build number—150.0.7871.47—indicates a minor bump from the previous 150.x line, rolling out over the coming days. Users can verify they’re on the patched version by visiting chrome://settings/help or clicking Help > About Google Chrome from the menu.

CVE-2026-13890 is an out-of-bounds read bug in the Chromecast feature, the plumbing that lets you fling tabs, media, and whole desktops to Cast-enabled displays. Out-of-bounds reads happen when software accesses memory outside the bounds it was allocated, essentially peeking into data it has no business seeing. In a browser, that can mean exposing contents from other websites, stored credentials, or internal process memory. It can also trigger a crash, leading to denial of service.

Google hasn’t published a detailed technical write-up yet, but the bug’s classification as medium severity suggests that exploitation requires some degree of user interaction or a complex setup. The company’s advisory confirms that no other vulnerabilities were addressed in this release, making it a single-fix security patch.

What this means for you

For everyday users: The risk is tangible but not imminent. A medium-severity bug in Chromecast means you’d need to visit a malicious page or interact with a compromised casting sender to trigger the flaw. Still, Chrome’s usual auto-update mechanism will install the fix silently within a day or two. If you rarely restart your browser, open the About page to force the update and relaunch.

For IT administrators: Push this patch through your managed update policies. Chromecast is enabled by default on many enterprise endpoints, so the attack surface exists even if casting isn’t an everyday activity. Blocking the Cast feature via group policy (EnableMediaRouter set to false) can mitigate the risk until the update deploys, though it will disable legitimate casting.

For developers and power users: If you maintain Chromium-based browsers or internal web tools that rely on the Cast SDK, test your applications against 150.0.7871.47. There’s no indication of breaking changes, but out-of-bounds fixes occasionally tweak memory layouts that custom integrations might notice.

How we got here

Chrome 150 arrived in June 2026 under the browser’s four-week release cadence, which has been in place since 2023. The Chromecast feature has been baked into Chrome since 2013, originally as a protocol for streaming to dongles and later evolving into a broader casting and mirroring framework. Its codebase touches media parsing, network protocols, and device discovery—fertile ground for memory-safety bugs.

Out-of-bounds reads like CVE-2026-13890 often surface through fuzzing, automated tools that hammer code with malformed inputs. Google’s internal security teams and external researchers regularly file such bugs through the Chrome Vulnerability Reward Program. The company hasn’t credited a specific researcher for this find yet, which might mean it was discovered in-house or the reporter prefers anonymity.

Chromecast-specific vulnerabilities are not unprecedented. Over the years, flaws in the Cast protocol have allowed unauthorized media control, device hijacking, and information leaks. Because the component handles a mix of trusted and untrusted content—from your own tabs to third-party sender apps—it’s an attractive target for attackers looking to jump between contexts.

What to do now

Step 1: Update Chrome immediately. The browser usually self-updates, but you can trigger it manually:
- Open Chrome.
- Click the three-dot menu (⋮) in the top-right corner.
- Go to Help > About Google Chrome.
- The browser will check for updates and install version 150.0.7871.47 if you’re not already running it.
- Click Relaunch to finish.

Step 2: Verify the version. After relaunch, return to the About page and confirm the version number ends in .47.

Step 3: Consider restricting Chromecast (optional). If you don’t use casting and want an extra layer of safety, you can disable the feature:
- Type chrome://settings/content/casting in the address bar.
- Toggle off the setting for sites to use the Cast protocol.
- Note that this will prevent any website from initiating casts, including video and presentation tools.

Step 4: For managed environments. Deploy the update via your patch management system or force it through Group Policy Objects (GPO). The policy ApplicationSettings with UpdatePolicy set to Automatic ensures Chrome stays current. Until the patch is confirmed, you can set EnableMediaRouter to false as a temporary workaround.

Outlook

Chrome 150.0.7871.47 is a surgical strike, fixing one bug without introducing new features. The next planned release, Chrome 151, is slated for late July 2026 under the normal schedule. Until then, Google may issue additional out-of-band patches if other flaws come to light. Keep an eye on the Chrome release blog for any follow-up advisories.

The highlighting of a solitary Chromecast fix serves as a reminder that media and casting components remain under active attacker scrutiny. As browsers become the universal runtime for everything from presentations to gaming, the attack surface of peripheral features grows. Regular, automatic updates remain your strongest defense.