Google has released an emergency update for its Chrome browser, version 150.0.7871.47, to plug a serious security hole that could let attackers hijack a Windows PC simply by tricking someone into visiting a malicious website. The vulnerability, tracked as CVE-2026-14086, stems from a policy enforcement weakness in how Chrome handles Human Interface Devices (HID) through the WebHID API. The National Vulnerability Database (NVD) warns that a remote attacker could exploit this flaw to execute arbitrary code on the target machine, making it one of the more dangerous browser bugs in recent memory.

What Google Fixed in Chrome 150.0.7871.47

The latest stable channel update for Windows, Mac, and Linux addresses a single critical issue: insufficient enforcement of security policies within Chrome’s HID subsystem. According to the NVD’s advisory, an attacker could craft a web page that, when loaded in a vulnerable version of Chrome, would bypass normal authorization checks to access connected HID devices and potentially achieve code execution.

Google is keeping the technical details under wraps for now, a standard practice to give users time to apply the patch before attackers can reverse-engineer the flaw. What we know is that the flaw resides in the browser’s implementation of the WebHID API, a feature that allows web applications to interact with devices like gamepads, braille displays, and specialized industrial equipment.

The severity is underscored by the fact that the attack requires no user interaction beyond visiting a compromised or malicious site—no clicking, no downloads. This “drive-by” nature means anyone running Chrome prior to version 150.0.7871.47 is a potential target. The Common Vulnerability Scoring System (CVSS) score hasn’t been published yet, but given the RCE capability, it’s likely to land in the 8.8–9.6 range (high to critical).

What This Means for Windows Users

If you use Chrome on Windows, you’re in the crosshairs. The bug isn’t theoretical: it’s a real, exploitable path from a web page to full system compromise. But the practical impact differs depending on who you are.

For everyday users: This is a no-excuses situation. Open Chrome, click the three-dot menu, go to Help > About Google Chrome, and let it download the update. Then restart the browser. It takes two minutes and closes a door that could otherwise lead to stolen passwords, ransomware, or worse. Because Chrome automatically updates in the background for most people, you might already be patched—checking is still wise.

For IT administrators: You’ll need to verify your managed Chrome installations across the enterprise. Group Policy, SCCM, or your endpoint management tool should reflect version 150.0.7871.47. The Chrome Browser Cloud Management console can show you the update status fleet-wide. If you rely on Chrome’s legacy browser support for internal apps, double-check that the patch doesn’t interfere with any custom HID integrations—though no breaking changes have been announced.

For developers using WebHID: Chrome’s stricter policy enforcement may alter how your web app requests HID devices. After the update, your application might need to request permission more explicitly, or the user gesture requirement could be tightened. Test your WebHID workflows thoroughly against the new version. Google has not yet published a detailed developer note, but expect one in the Chromium bug tracker soon.

How We Got Here: HID, Chrome, and the Push for Powerful Web APIs

The WebHID API has been part of Chrome since version 89, and it filled a niche for web-based device control in healthcare, manufacturing, and gaming. But with great power comes a larger attack surface. This isn’t the first time HID handling has caused security headaches in Chrome.

A brief history of HID-related Chrome CVEs underscores why this week’s patch demands attention:

  • April 2024: CVE-2024-3159, a use-after-free in WebHID, allowed code execution in the renderer process.
  • October 2023: CVE-2023-5218, a critical data validation issue in HID, enabled sandbox escape when combined with a second bug.
  • February 2022: CVE-2022-0609, a policy enforcement bypass in WebUSB (related to HID logic) was exploited in the wild by North Korean threat actors.

The thread is clear: as Chrome extends its reach into hardware, the attack surface expands. Each patch closes one door, but the sheer number of recent bugs suggests the design needs scrutiny.

In this case, the timeline is unclear, but the emergency nature suggests the vulnerability was either actively exploited in the wild or disclosed publicly before a fix was ready. Google typically credits external researchers, but the official advisory (at the time of writing) doesn’t name a discoverer.

The NVD entry adds weight. While Google’s own severity labels often downplay externally reported bugs, the NVD’s warning of remote code execution elevates the urgency. It’s a reminder that browsers are the primary gateway to corporate networks and personal data, and the WebHID API, though niche, can be a powerful tool in an attacker’s arsenal.

What to Do Right Now

Updating Chrome is the only reliable fix. Here’s a checklist:

  1. Check your current version: Open chrome://settings/help or click the three dots > Help > About Google Chrome. If you see version 150.0.7871.47 (or higher), you’re safe. If it shows an older number, an update should start automatically; if not, click “Update Google Chrome.”
  2. Manual update if needed: On Windows, if auto-update fails, download the latest installer from google.com/chrome. Uninstall Chrome first? Not necessary—the installer will overwrite the existing files.
  3. Restart: Chrome must fully restart to apply the patch. Save your work and close all windows, then reopen.
  4. Verify again: After restart, revisit chrome://settings/help to confirm version 150.0.7871.47.
  5. For enterprise admins: Push the update via your preferred deployment tool. Google’s MSI installer for the stable channel is available. Use Chrome’s Group Policy administrative templates to enforce automatic updates if you haven’t already.

If for some reason you cannot update immediately—say, you’re on a locked-down machine with a delayed approval cycle—temporarily disabling the WebHID API is an option, but it’s a sledgehammer. You can do this by navigating to chrome://flags/#enable-web-hid and setting it to Disabled. However, this may break internal apps that rely on HID access, so it’s only a stopgap. More practically, avoid unfamiliar websites and consider using an alternative browser like Edge or Firefox until Chrome is patched, though those browsers may have their own update cadence.

Outlook: A Patch, But the Story Isn’t Over

Google will likely disclose more details in the coming weeks after the majority of users have updated. At that point, we’ll learn whether CVE-2026-14086 was exploited in targeted attacks or was responsibly reported. Historically, Chrome’s bug bounty program encourages researchers to keep quiet until a fix ships, which helps everyone.

For now, the key takeaway is that this update is not optional. Chrome’s prevalence—used by over two-thirds of desktop users worldwide—makes any high-severity bug a community crisis. The next Chrome security update will probably bundle additional fixes, as Google often includes multiple patches in stable releases. Keep an eye on the Chrome Releases blog for any follow-up advisories, and make sure your browser’s silent update mechanism hasn’t been disabled.