Google has released a targeted update for Chrome on iOS, fixing a medium-severity vulnerability that could let attackers circumvent Safe Browsing protections with nothing more than a crafted webpage. The fix arrives in version 150.0.7871.47, which is now rolling out worldwide through Apple’s App Store.

Anyone running Chrome on an iPhone or iPad should ensure they are on this version or newer, as the flaw — tracked as CVE-2026-13904 — allows a remote attacker to bypass navigation restrictions that normally prevent users from landing on known malicious or deceptive sites.

What’s in the Update

The sole security fix in Chrome 150.0.7871.47 for iOS is CVE-2026-13904, a vulnerability identified in the browser’s implementation of Safe Browsing. According to Google’s advisory, the issue could be exploited by serving “crafted HTML” to a victim, enabling an attacker to evade navigation restrictions that Safe Browsing normally enforces.

The flaw is rated medium severity, which may sound less alarming than a critical remote-code-execution bug, but it directly undermines a primary defense mechanism. Safe Browsing is the technology that warns you before you visit phishing sites, malware-hosting pages, or deceptive downloads. If an attacker can bypass these warnings, even a cautious user could be tricked into visiting a harmful destination.

Google has not released detailed technical information about the exploit method, a standard practice to give users time to update before attackers reverse-engineer the patch. The company credited an external security researcher for the discovery, though the name was not made public at the time of disclosure.

Who Needs to Act and Why

The update is critical for anyone who uses Chrome as their primary browser on an iPhone or iPad. Unlike on desktop platforms, where Chrome includes its own rendering engine, Chrome on iOS must use Apple’s WebKit. That means many traditional web-platform exploits don’t apply, but Safe Browsing is a key differentiator that Chrome brings to iOS — and this bug puts that advantage at risk.

For everyday users, the practical danger is that a link you tap in an email, message, or search result could bypass the usual red-screen warning and land you on a convincing phishing page or a site that attempts to install a malicious configuration profile. While iOS sandboxing provides significant protection against malware, phishing remains a highly effective attack vector, especially when users are lulled by the absence of a warning.

For enterprise administrators managing fleets of iOS devices, the patch carries additional weight. Many organizations rely on Chrome for its management capabilities and Safe Browsing integration to enforce acceptable-use policies. An unpatched version of Chrome could create a gap in those defenses, allowing employees to drift onto harmful destinations even when policies are set to block them. IT teams should push a silent app update or communicate clearly to staff about the need to manually update.

For developers who embed WebViews in their own iOS apps that leverage Chrome’s Safe Browsing services, it’s worth checking how your implementation interacts with the fix. While the update is delivered through Chrome itself, the underlying service might influence certain SDKs or web views that rely on the system’s Safe Browsing database. Google’s advisory does not indicate any changes to APIs, but it’s a prudent check.

The Bigger Picture: Safe Browsing on iOS

To understand why a medium-severity bypass earns urgent attention, it helps to step back and look at how Safe Browsing works within Apple’s ecosystem. On iOS, all third-party browsers are required to use WebKit for rendering, which means Chrome cannot bring its own Blink engine or its own networking stack. Instead, it layers services on top of the system-provided web view.

Safe Browsing is one of those layers. It checks URLs against a locally stored list of threat-hashes, updated regularly, and can also call out to Google’s servers for real-time checks. When it works as intended, it puts up a full-screen warning before a malicious page loads, giving you a chance to retreat. Bypassing that warning is like removing a smoke detector’s alarm while leaving the battery in place — it looks functional, but it won’t alert you when there’s a fire.

This isn’t the first time a Safe Browsing bypass has been patched. Similar bugs have cropped up in Chrome for desktop and Android over the years. In most cases, the fix revolves around stricter validation of URLs or improved handling of redirects that can fool the local check. The fact that a crafty HTML page alone could trigger this bypass on iOS suggests the root cause may lie in how Chrome interpreted certain navigation triggers within WebKit — but without a technical write-up, that remains speculative.

Apple’s own Safari uses a similar technology, albeit with a different backend (Apple’s “Fraudulent Website Warning” powered by Google Safe Browsing on a privacy-enhanced proxy model). This means the vulnerability does not affect Safari itself, but it does leave a gap for users who have switched to Chrome as a deliberate security choice. If you’re on iOS and use Chrome precisely because you trust its Safe Browsing warnings, you’ve been running with a partly hobbled safety net.

How to Check Your Version and Update

Ensuring you have the patched version is straightforward on iOS, but it’s easy to overlook automatic updates if you have them disabled or if your device hasn’t refreshed recently.

  • Open the App Store and tap your profile icon in the top right.
  • Scroll to the Chrome app in the list of pending updates. If version 150.0.7871.47 or later is listed, tap Update.
  • If Chrome doesn’t appear in the update list, open the Chrome app, tap the three-dot menu, go to Settings, and look near the bottom for “Google Chrome.” The version number is displayed just below the app name.
  • If you see a number lower than 150.0.7871.47, force-quit the App Store, reopen it, and check again. Sometimes updates are staged regionally and may take a few hours to appear.
  • Enable automatic updates for peace of mind: Settings → App Store → turn on App Updates. This won’t force the Chrome update immediately, but it will apply it once your device picks it up overnight.

Corporate-managed devices may need an MDM push or a manual check if policy restricts automatic updates. IT administrators should verify that their device fleet has the update approved and deployed; otherwise, users might not be able to update even if they try.

What Comes Next

Google typically releases stable-channel updates for Chrome on iOS on a similar cadence to desktop releases, though iOS-specific vulnerabilities sometimes get expedited patches. With this medium-severity fix shipped, attention will shift to any further disclosures — often, the researcher who reported the bug will publish technical details once the update is widely adopted.

There’s also a broader conversation brewing about how safe browsing implementations can be hardened across mobile platforms. iOS limits what browsers can do, but the very same constraint can make bypasses harder to detect because the browser cannot independently inspect the full network stack. As more personal and business tasks migrate to mobile devices, attackers will continue to probe these seams.

For now, the immediate step is clear: open the App Store, update Chrome, and tap that version number to confirm you’re on at least 150.0.7871.47. Medium severity or not, a bypass to your browser’s warning system isn’t something to sleep on.