A remote attacker can sidestep core security safeguards in Google Chrome for iPhone and iPad simply by luring you to a malicious web page. Google disclosed the flaw, tracked as CVE-2026-14075, on June 30, 2026, and released Chrome for iOS version 150.0.7871.47 to patch it. The vulnerability is a policy-enforcement weakness that affects all Chrome releases for iOS prior to the fix.

The vulnerability, plain and simple

The CVE entry, which had been reserved but not publicly detailed until the patch shipped, describes a “policy enforcement” flaw in Chrome for iOS. In practical terms, that means Chrome’s internal rules—the logic that governs what web content can and cannot do—could be tricked. By serving a specially crafted HTML document, a remote attacker could bypass those rules and potentially gain access to information or permissions ordinarily locked down by the browser. How much access? Google’s advisory stops short of specifying the exact boundaries that fall, but “policy enforcement” typically points to mechanisms like Same-Origin Policy, Content Security Policy, or sandboxing constraints. When those fail, an attacker can often read cross-origin data, inject scripts, or escalate privileges inside the browser sandbox.

The flaw is exclusive to Chrome for iOS. Desktop Chrome, Chrome for Android, and other Chromium-based browsers are not affected. The fix, distributed through Apple’s App Store, arrives in build 150.0.7871.47. If your Chrome for iOS displays any earlier version—say 150.0.7871.43 or earlier—you are vulnerable.

What this means for you

For everyday iPhone and iPad users, the risk is immediate but avoidable. Because the attack vector is a malicious or compromised web page, the threat model mirrors a classic drive-by exploit: visit the wrong link, and a remote attacker could have a direct path around Chrome’s defenses. The attacker doesn’t need physical access to your device or any additional malware; the browser becomes the entry point. Once inside, the attacker could, for example, siphon authentication cookies from another domain you’re logged into, alter what you see on a trusted site, or quietly redirect your traffic through a server they control.

  • If you use Chrome as your primary iOS browser, check your version now. Open Chrome, tap the three-dot menu, go to Settings > About Chrome, and confirm the version string reads 150.0.7871.47. If it doesn’t, head to the App Store and install the update.
  • If you’re an IT or MDM administrator, this CVE should trigger an immediate push. Any fleet of managed iPhones or iPads with Chrome installed needs the patched version. Your Mobile Device Management platform can enforce the minimum version or silently update the app for supervised devices. For unsupervised devices, send a notification to users and monitor compliance.
  • If you’re a parent or family tech-support person, check the devices of anyone less likely to update apps manually. The App Store’s automatic update feature often catches these within a few days, but manual verification shortens the window of exposure.

Beyond the immediate patch, the episode underscores a broader reality: browsers on iOS aren’t immune to severe security bugs. Despite Apple’s WebKit engine requirement—all iOS browsers must use WebKit under the hood—vulnerabilities can and do arise in the browser shell and the integration layers that Chrome builds on top of it. Google’s security team routinely tests and hardens those layers, but mistakes happen.

How we got here: a timeline of the fix

CVE-2026-14075 didn’t appear in a vacuum. Google’s stable channel updates for Chrome on desktop and Android arrived earlier in the week of June 22, 2026, bringing a crop of fixes that included high-severity use-after-free and type-confusion bugs. iOS typically lags a few days behind those releases, as Apple’s App Store review may add a small delay. The Chrome for iOS stable channel announcement from June 30 confirms that the rollout contains a single security fix: the policy-enforcement CVE reported by an external researcher via Google’s Vulnerability Reward Program.

The disclosure pattern—reserving the CVE, patching, then publishing—is standard for Google. It’s designed to give users a head start before attackers can reverse-engineer the fix. As of June 30, Google states it is not aware of active exploitation in the wild, but the company’s own research shows that attackers often weaponize a patch within days. The window between disclosure and active exploitation is shrinking industry-wide.

Chrome for iOS version history shows a steady stream of security patches. For instance, CVE-2025-12345 earlier this year patched a similar policy-enforcement bug, though that one also required a secondary interaction. This new bug appears more severe because the remote nature and the “crafted HTML” trigger suggest a fully client-side exploit. No special user gesture beyond page loading is implied.

What to do now: step-by-step instructions

  1. Check your Chrome for iOS version
    - Open Chrome.
    - Tap the three-dot menu (bottom-right or top-right, depending on your layout).
    - Go to Settings > About Chrome.
    - If the version shown is 150.0.7871.47 or later, you are protected.

  2. Update if you’re not on the patched version
    - Open the App Store.
    - Tap your profile icon in the top right.
    - Scroll to the Available Updates section.
    - Find Chrome and tap Update.
    - If you don’t see Chrome in the list, you may already be on the latest version.

  3. Enable automatic updates (recommended)
    - Go to Settings > App Store.
    - Toggle on App Updates under Automatic Downloads.
    - This ensures future patches install overnight when your device is charging and connected to Wi-Fi.

  4. For enterprise environments
    - Use your MDM platform (Microsoft Intune, Jamf, VMware Workspace ONE, etc.) to create a compliance policy requiring Chrome for iOS at version 150.0.7871.47 or higher.
    - If your MDM supports application deployment, push the updated Chrome package from the App Store.
    - Monitor your console for devices that fail to update, and follow your organization’s patching SLA.

No temporary workaround exists. Safari and other browsers are unaffected, but switching browsers solely for this CVE is impractical for Chrome users; the real fix is a few taps away.

What to watch next

Google will likely expand the advisory with technical details after most users have applied the patch—typically in a few weeks. Security researchers may then publish proof-of-concept code demonstrating how the bypass works. That pattern, while educational, also increases the risk for anyone who hasn’t updated. The Chrome for iOS release notes page and the CVE-2026-14075 entry on the National Vulnerability Database will be the authoritative sources for those deep dives.

Longer term, this bug reminds us that “iOS is safe” is a dangerously simplistic mindset. Each app, especially a complex one like a browser, carries its own attack surface. Routine, automatic updates remain the single most effective defense against these pinpointed attacks. If you haven’t turned on automatic app updates yet, today is a good day to flip that switch.