Google has issued an urgent fix for a high‑severity vulnerability in Chrome for iOS that leaves the browser’s Safe Browsing feature open to subtle side‑channel attacks. Tracked as CVE-2026-13809, the flaw affects all versions of the app prior to 150.0.7871.47 and could allow a remote attacker to sniff out sensitive information without leaving an obvious trace. iPhone and iPad users who depend on Chrome for everyday browsing should install the update immediately via the App Store.
What actually changed
The core of the fix lies in Chrome’s implementation of Safe Browsing on iOS. Safe Browsing is the Google‑operated service that checks URLs against constantly updated lists of malware, phishing, and unwanted software sites. On iOS, Chrome integrates this service natively, but a coding flaw — described in the CVE entry as a “side‑channel” — could let a clever attacker observe patterns in network requests, memory access, or timing to deduce private data.
Side‑channel attacks don’t directly crack encryption or bypass authentication. Instead, they infer secrets by measuring physical or behavioral side effects of a system. In the browser context, this might mean an attacker‑controlled website measuring how long Safe Browsing lookups take, or analyzing cached resources to determine whether a user has visited a particular URL. The vulnerability could thus expose browsing history, account tokens, or even credentials if the browser inadvertently leaks them during the safety check.
Google’s advisory, while sparse on technical specifics, urges all iOS Chrome users to update to version 150.0.7871.47 or later. The changelog for this release is otherwise minor, suggesting the patch was rushed out specifically to address the security hole. Notably, the CVE assignment date falls well after typical Chrome release cycles, indicating this may have been a privately reported issue that Google fixed under a limited disclosure timeline.
What it means for you
For everyday users
If you use Chrome on an iPhone or iPad, the immediate risk is that your browsing activity could be monitored by a malicious site in a way that’s nearly impossible to detect. While no public exploits are known yet, the high‑severity rating implies that weaponizing this flaw is feasible. Because Chrome often stores passwords and payment methods that sync across devices, an information leak in the iOS app could potentially expose credentials that you use on Windows or macOS as well.
The attack surface is limited to scenarios where you visit a compromised website or where a legitimate site is hijacked silently. But given that Safe Browsing checks are woven into every page load — even for well‑known safe sites — exploitation could be both broad and stealthy.
For Windows users in particular
Your Windows desktop Chrome is not directly affected. However, if you’re signed into Chrome on both your PC and iPhone, a compromise on the iOS side could cascade. For example, if an attacker manages to steal an authentication cookie from a side‑channel leak, they might impersonate you across Chrome’s sync infrastructure, gaining access to bookmarks, history, and even saved passwords on your Windows machine. This cross‑platform risk is one reason that IT security policies often treat mobile browsers as a weak link.
For IT professionals and system administrators
Mobile device management (MDM) policies that govern corporate iPhones rarely enforce specific browser versions. The patch lands at a time when many organizations are already struggling to manage remote and BYOD endpoints. You should:
- Push a notification to all staff who use Chrome on iOS to update immediately.
- If your MDM solution supports it, check for installed Chrome versions and block network access for outdated instances until they are updated.
- Remind users that Chrome’s built‑in password manager can be a vector if the iOS app is compromised; consider advising against storing enterprise credentials in the browser on mobile.
For developers and security researchers
The technical details will likely emerge after a grace period. Side‑channel bugs in Safe Browsing are relatively rare but not unprecedented. In 2023, researchers demonstrated similar attacks on Chrome’s desktop Safe Browsing implementation, though those were patched quickly. This iOS‑specific variant may be related to how the app handles sandboxing restrictions or integrates with WebKit — since all iOS browsers must use WebKit as their rendering engine, Chrome’s own code sits on top, and Safe Browsing is one of the few components where Google maintains full control.
How we got here
Chrome on iOS has always been something of a compromise. While Google builds the browser, it must rely on Apple’s WebKit for rendering, which limits how deeply it can control performance and security. Safe Browsing, however, is a separate Google service that the app implements directly. This independence makes it a valuable target for attackers.
The first signs of CVE-2026-13809 appeared in late 2025 when a security researcher reportedly submitted a report through Google’s Vulnerability Reward Program. Google classifies side‑channel vulnerabilities as high severity because they can be exploited remotely without user interaction, and they often defeat privacy protections like incognito mode. The company’s Chrome team released the fix on an accelerated schedule, skipping a normal beta cycle to get it out quickly.
This isn’t the first time Safe Browsing has drawn scrutiny. In 2019, a paper showed that “evil twin” WiFi hotspots could infer browsing patterns from Safe Browsing traffic patterns. Google mitigated that by encrypting the entire lookup channel. The new flaw suggests that side‑channel risks persist even with encryption, possibly through local caches or process‑level leaks.
What to do now
-
Update Chrome on your iPhone or iPad
- Open the App Store and tap your profile icon at the top.
- Scroll to find Chrome and tap “Update.” If you don’t see an update, pull down to refresh the list.
- After the update, launch Chrome, tap the three dots (or the menu icon), go to Settings > About Chrome, and confirm the version number is 150.0.7871.47 or higher. -
Enable automatic updates
- In the App Store, go to Settings (your profile) > App Updates, and make sure they are turned on. This will help you stay ahead of similar patches. -
Check for suspicious activity
- While the vulnerability is a side‑channel, it’s wise to watch for signs of account compromise: unexpected sync changes, unfamiliar devices in your Google Account security settings, or password change notifications you didn’t initiate. -
Consider a temporary switch
- If you can’t update right away, consider using Safari for sensitive transactions until you’re patched. Safari uses a different Safe Browsing implementation (Apple’s own, which may share some infrastructure but is coded separately). -
For IT admins: audit and block
- Use your asset inventory to identify all iPhones with Chrome installed. Leverage your MDM’s compliance rules: create a policy that marks a device as non‑compliant if Chrome version is below 150.0.7871.47 and restricts access to corporate resources until the user updates. -
Stay informed
- Google typically releases a full advisory with technical details about 30 days after the fix. Bookmark the Chrome Releases blog for any post‑mortem or follow‑up CVEs that might be related.
Outlook
Google’s swift action highlights both the maturity of its vulnerability response and the continuous pressure on mobile browser security. As browsers on all platforms grow more complex, side‑channel defenses will need to evolve — especially in cross‑platform ecosystems like Chrome where a leak on one device can compromise many.
For Windows users, this serves as a reminder that the security of your most trusted accounts doesn’t stop at the PC. Even a seemingly isolated flaw in an iPhone app can ripple across your digital life. The best defense remains a healthy skepticism toward unknown links, a rigorous update habit, and a security posture that treats every device as a potential entry point.
Google is expected to refine Safe Browsing on iOS further in upcoming releases, possibly by isolating the service into a separate process or adding additional noise to thwart timing analysis. Until then, keeping Chrome up to date is the single most effective step you can take.