Google released a stable-channel update for Chrome on June 30, 2026, that patches a medium-severity vulnerability allowing remote attackers to spoof the browser’s security UI. The flaw, tracked as CVE-2026-13978, affects all Chrome versions before 150.0.7871.47 on Windows, Mac, and Linux.
The patch arrives in Chrome 150.0.7871.47
The update, detailed in a terse advisory from Google’s Chrome Security team, addresses a “policy-enforcement” weakness in PageInfo. PageInfo is the dialog bubble that appears when a user clicks the lock icon or site-identity indicator in the address bar. It shows the connection’s security status, certificate details, cookie usage, and permissions.
CVE-2026-13978 breaks the normal enforcement chains that keep that UI honest. In practice, an attacker who has tricked a user into visiting a crafted website—or who has positioned themselves on the network to inject content—can alter what the PageInfo bubble displays. The lock icon might show for a site that is actually plain HTTP. A phishing page could present itself as a legitimate, long-established banking domain. The permissions section could hide that the site is accessing the camera or microphone.
Google’s advisory classifies the bug with a CVSS score of 5.3 (medium), but the practical risk for everyday users is higher if they are targeted in phishing campaigns that leverage the flaw. The company said it is “aware of no active exploitation,” though it rarely comments on whether an internal zero-day report prompted the fix.
What happens if an attacker exploits PageInfo spoofing
The Chrome security model depends on users trusting the UI around the address bar. Modern browsers have layered defenses: a green lock for validated HTTPS, a “Not secure” warning for HTTP, and the full PageInfo panel for deeper inspection. If an attacker can manipulate those indicators, they can subvert the single most important trust signal in the browser.
On Windows, where Chrome holds roughly 60–65% of the desktop market, the attack surface is enormous. A spoofed lock icon and plausible-looking PageInfo bubble could convince an employee to enter corporate credentials on a fake login page. Because the manipulation happens inside the browser’s own UI, traditional Windows security tools may not flag anything suspicious—the malicious page itself might not host malware or exploit an OS vulnerability; it simply abuses a feature that users are trained to rely on.
The flaw also impacts the permissions workflow. A site requesting microphone access normally triggers a clear permission prompt. With CVE-2026-13978, an attacker could hide that the permission was already granted or that the site is actively recording, turning Chrome into an eavesdropping device without the user’s knowledge.
Who is most at risk
- Home users who auto-update are protected once the new build installs, but manual updaters and those on metered connections need to check immediately.
- Windows enterprise admins must roll out Chrome 150.0.7871.47 to all managed devices. The vulnerability’s medium severity belies its usefulness in targeted phishing: a single executive tricked by a spoofed PageInfo could expose an entire network.
- IT pros managing legacy Windows systems should note that Chrome often drops support for older OS versions. This stable release still supports Windows 10 and later, but organizations clinging to Windows 7 or 8.1 are already unsupported and will not receive this patch through Chrome’s own channels.
- Developers who embed WebView2 or test on Chromium-based browsers need to rebuild applications against the patched engine to avoid carrying the vulnerability into their own software.
How the PageInfo bug fits into Chrome’s UI spoofing history
Chrome has faced a steady stream of address-bar and security-indicator spoofing bugs since its inception. The browser’s multi-process architecture—one process for the renderer, another for the browser UI—creates a natural boundary, but that boundary is policed by policies that, when bypassed, can allow a compromised renderer to paint fake UI elements.
In 2024, CVE-2024-1235 let attackers mimic the lock icon state. In 2025, a string of “origin confusion” bugs made it possible to display the URL of one site while actually loading content from another. CVE-2026-13978 is the latest in that lineage and specifically targets the PageInfo bubble, a relatively newer interface that Google has been expanding to show more granular site controls.
The July 2026 patch was published as part of a larger stable-channel refresh that includes fixes for 12 other security bugs, several rated high severity. Google typically withholds full technical details for a few weeks to give users time to update, so precise exploit mechanics may not emerge until late July or August.
Immediate steps to take on Windows
- Update Chrome manually if auto-update hasn’t triggered. Open the three-dot menu, go to Help > About Google Chrome. The browser will check for updates and install version 150.0.7871.47. Restart Chrome.
- Verify the version. Type
chrome://settings/helpin the address bar. It should read “Google Chrome is up to date” with the version string ending .47 or higher. - For enterprise deployments, push the MSI. Admins can download the latest offline installer for Windows x64/x86 from the Google Chrome Enterprise download page. Group Policy or management tools like SCCM can force the update.
- Audit internal phishing training. Because this bug undermines the lock icon, train users to verify a site’s identity by manually inspecting the URL in the address bar rather than relying solely on the lock or PageInfo panel—at least until all devices are patched.
- Consider Edge users. Microsoft Edge, built on Chromium, will likely receive a corresponding patch in a subsequent release if the bug exists in the underlying engine. Check
edge://settings/helpand update to Edge 150.x when available.
Outlook: What comes after the patch
Google’s accelerated release cadence—a major version every four weeks—means that even after patching, new spoofing variants can appear quickly. Windows users should leave Chrome’s automatic update feature enabled and avoid dismissing browser restarts for more than a day. For organizations, the patch underscores the need to treat browsers as a critical endpoint security layer, not a commodity.
Security researchers will likely publish proof-of-concept code once the embargo lifts, and phishing kits may incorporate the technique. The true test of CVE-2026-13978’s severity will come in the weeks following public disclosure, when the window of vulnerability closes for users but opens for attackers targeting the unpatched.