Google released Chrome 150.0.7871.47 to the Stable channel on June 30, 2026, fixing a potentially dangerous UI spoofing vulnerability in the browser's extension system. The flaw, tracked as CVE‑2026‑13999, was published by the National Vulnerability Database (NVD) the same day and updated July 1 to clarify that all Chrome versions before the patch are affected on Windows, Mac, and Linux.

What the Patch Fixes

CVE‑2026‑13999 is a high‑severity issue classified as “UI Spoofing” in Chrome Extensions. While Google and the NVD have yet to release deep technical specifics—a common practice to allow users time to update—the vulnerability centers on how Chrome renders interfaces for installed extensions. A malicious extension or a compromised web page could exploit the bug to imitate legitimate extension prompts, permission dialogs, or even the chrome://extensions management page. An attacker who successfully spoofs a trusted UI element might trick users into granting excessive permissions, divulging sensitive data, or installing additional malicious extensions.

The NVD entry lists the affected product as Google Chrome, with Common Platform Enumeration (CPE) string cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*, explicitly flagging all versions prior to 150.0.7871.47. The update, which also includes other security fixes that Google has not detailed, is rolling out automatically to most consumer devices, but users and IT teams should verify installations manually.

What This Means for You

The practical risk varies by user profile:

Home Users and Casual Browsers

If you use Chrome for everyday browsing, the immediate action is to confirm you’re running the fixed version. Even though Chrome updates itself, the process can stall on systems with prolonged uptime or metered connections. A spoofed extension UI could, for example, mimic a common password manager’s login prompt or a multi‑factor authentication challenge, harvesting credentials. While no public exploit code has been spotted in the wild, the window between patch release and active exploitation is often measured in days.

IT Administrators and Enterprise Environments

Organizations that manage Chrome through Group Policy, Chrome Browser Cloud Management, or a unified endpoint management tool face a different challenge: ensuring every endpoint—including remote and off‑network devices—receives the update promptly. The CPE definition allows vulnerability scanners like Nessus, Qualys, or Microsoft Defender for Endpoint to flag any Chrome installation older than 150.0.7871.47. In environments where users cannot install updates themselves, IT must push the latest build via administrative templates or management consoles.

Additionally, administrators should consider temporarily enforcing the Safe Browsing Interstitial policy (SafeBrowsingInterstitialTimeout) or blocking the installation of extensions from outside the Chrome Web Store if not already configured, though these are general hardening measures, not specific workarounds for CVE‑2026‑13999.

Extension Developers

Developers who publish extensions on the Chrome Web Store should audit their add‑ons for any reliance on UI elements that could be replicated by a malicious actor, though the vulnerability appears to affect the browser’s own rendering, not legitimate extensions. Still, Google’s extension review team may increase scrutiny in the wake of this disclosure, so now is a good time to review compliance with Manifest V3 requirements and remove unused permissions.

How We Got Here

Chrome’s extension framework has been under increasing attack in recent years. Earlier in 2026, Google reported a series of campaigns where fake extensions with inflated review counts slipped past Web Store defenses. The underlying pattern—UI spoofing—has roots in older Chrome vulnerabilities such as CVE‑2022‑1853 (incorrect security UI rendering) and CVE‑2023‑2033 (type confusion leading to spoofing). The browser’s shift to Manifest V3, which enforces stricter permission models and service worker‑based background scripts, is designed in part to shrink the attack surface that flaws like CVE‑2026‑13999 target.

Google’s security team discovered this particular bug internally and rapidly issued the fix. The company credited a researcher under the alias “ph0r” for the report, though the bounty amount was not disclosed. The firm’s quick turnaround—less than a week from report to stable channel patch—highlights the severity it assigns to UI deception attacks, which can defeat even cautious users by mimicking trusted interfaces.

What to Do Now

For individuals, the steps are straightforward:

  1. Check your Chrome version. Click the three‑dot menu, navigate to Help > About Google Chrome. The browser will report its version number and trigger an update check.
  2. Verify the update. After the download completes, Chrome will show “Nearly up to date” or “Chrome is up to date” with version 150.0.7871.47 or higher on screen. If it remains on an older build, click Relaunch to finish installation.
  3. Review installed extensions. Type chrome://extensions in the address bar, remove any add‑ons you don’t recognize or no longer use, and confirm that the remaining ones have not been granted more permissions than necessary.

For enterprises and system administrators:

  • Force an immediate update via Group Policy. The most reliable method is to set the GoogleUpdate administrative template to allow automatic updates and restrict Chrome to a minimum version. On Windows, apply the policy:
    Administrative Templates > Google > Google Update > Applications > Google Chrome Enable “Update policy override default” and set to “Always allow updates (recommended)”
  • Use Chrome Browser Cloud Management to view a report of all managed browsers and their versions; push an update command to devices that are behind.
  • Run a CPE‑based scan. Search your asset inventory for instances matching cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* with a version less than 150.0.7871.47. Many vulnerability management platforms can flag these instantly.
  • Consider blocking extension installations until all clients are patched. The policy ExtensionInstallBlocklist with a value of * will prevent all extensions, but beware of impact on productivity tools; use with caution and only temporarily.

Home users who cannot update immediately should be especially wary of unexpected browser prompts asking for permissions or login details. Avoid installing extensions from outside the Chrome Web Store entirely, and enable Enhanced Safe Browsing (chrome://settings/security) for additional protection against deceptive pages.

Outlook

Google is likely to release more details about the exploit mechanism after a grace period—typically 14 days—to give the majority of users time to patch. Security researchers and major businesses should watch for a follow‑up bulletin on the Chrome Releases blog or the Chromium bug tracker. The patched version 150.0.7871.47 also lays groundwork for several under‑the‑hood changes expected in the coming weeks, including further Manifest V3 rollouts, so keeping browsers current will be essential as the extension landscape evolves.

In the meantime, the standard advice stands: enable automatic updates, prune unnecessary extensions, and treat any unsolicited browser dialog with a healthy dose of skepticism. With a single restart, you can close the door on CVE‑2026‑13999 before attackers find their way through.