Google has pushed out an urgent security patch for Chrome on iOS, bringing the browser to version 150.0.7871.47 to fix a dangerous flaw tracked as CVE-2026-13777. The update is now available through the App Store, and all users should install it immediately.

What’s in the Update

The CVE-2026-13777 identifier points to a high-severity vulnerability that could allow attackers to compromise iPhones or iPads through malicious web content. Google has not yet disclosed the technical details—standard practice when a bug might be actively exploited—but the version bump and the emergency nature of the release signal urgency. Security researchers often assign such CVEs when a flaw enables arbitrary code execution or sandbox escape, but specifics for this case remain under wraps.

Chrome’s release notes for iOS simply mention “security fixes” without elaboration. However, the isolated CVE and the rapid update suggest this is not a routine patch but a response to a credible threat. The update is iOS-only; desktop and Android versions are not affected by this particular issue.

What It Means for You

If you use Chrome on an iPhone or iPad, delaying this update is risky. The vulnerability likely lets a crafty website hijack your browser and run malicious code, potentially stealing passwords, financial data, or personal information. Even if you only visit mainstream sites, malvertising campaigns can occasionally slip dangerous content into trusted domains.

For home users, the fix is painless: a quick trip to the App Store. For businesses managing fleets of iOS devices, IT admins need to push the update through their Mobile Device Management (MDM) platform without delay. Because Chrome on iOS relies on Apple’s WebKit engine for page rendering, some attack vectors are blocked by iOS’s own security layers, but any component outside WebKit—like the V8 JavaScript engine used for some features or the browser’s UI—can still be exploited. Treat this update with the same gravity as a desktop Chrome patch.

How We Got Here

Chrome follows a multi‑platform update cadence, with stable channel releases roughly every four weeks and emergency out‑of‑band patches when zero‑day threats emerge. Version 150 is a major number jump, possibly aligning with a broader feature release, but the urgent patch prioritizes a single security fix.

Chrome for iOS shares version numbers with its desktop and Android siblings, though under the hood it must use Apple’s WebKit for rendering due to App Store policies. The browser layers its own services—sync, Safe Browsing, and the V8 engine for certain JavaScript workloads—on top of WebKit. The vulnerability could reside in any of these custom components, which are Google’s responsibility to patch. This architectural division explains why a Chrome‑specific iOS flaw still needs a standalone update, rather than being fixed through an iOS system update.

Historically, Chrome for iOS has seen fewer critical CVEs than its desktop counterpart, but they do appear. For example, in early 2025 several high‑impact bugs in V8 and the Skia graphics library required quick patches on desktop and Android, whereas iOS was spared because those components are not fully exposed. When an iOS‑specific issue does surface, however, it demands the same level of urgency.

What to Do Now

Updating Chrome on iOS takes less than a minute:

  1. Open the App Store.
  2. Tap your profile picture in the top‑right corner.
  3. Scroll down to see pending updates. If Chrome appears, tap “Update.” Alternatively, search for “Chrome” and tap the update button on its store page.
  4. After the update, verify the version: tap the three‑dot menu inside Chrome, go to Settings, then Google Chrome, and check the version at the bottom. It should read 150.0.7871.47.
  5. Enable automatic updates if you haven’t already: go to Settings > App Store and toggle on “App Updates.”

For IT administrators:
- Verify that your MDM solution recognizes the new version and push an update policy for the Chrome app.
- If your organization uses a delayed update cadence to test compatibility, treat this as a zero‑day over‑ride and expedite deployment.
- Consider blocking outdated versions from accessing corporate resources until patched.

If you can’t update right now (for example, in a low‑connectivity area), minimize web browsing in Chrome until the patch is applied, or switch to Safari for sensitive tasks. Safari also uses WebKit, so it might share some lower‑level protections, but it is not affected by the Chrome‑specific bug.

A quick note on checking for compromise: no indicators of compromise (IoCs) have been publicly shared, but general best practices after applying a security fix include clearing your browser cache (go to Chrome’s Settings > Privacy > Clear Browsing Data) and reviewing account activity on critical services like email and banking.

Outlook

Google will likely publish a blog post in the coming days with credit to the vulnerability reporter and a nuanced description of the bug. CVE‑2026‑13777 will also appear in the National Vulnerability Database with a detailed severity score. Since Chrome updates on iOS are distributed through the App Store, adoption often lags behind desktop’s automatic patching; nevertheless, the most security‑conscious users tend to update within 48 hours. Attackers often reverse‑engineer patches quickly, so the window for safe delay is small.

Beyond this fix, version 150 may deliver other improvements—performance tweaks or interface adjustments—but the priority now is security. If you care for someone who uses Chrome on an iPhone, reach out and help them update. In the mobile era, a single stale app is all an attacker needs.