Google on June 30 shipped an emergency fix for a high-severity Bluetooth flaw in Chrome for Windows that can let an attacker in physical proximity silently extract sensitive information from an unpatched machine. The company is urging all users to update to version 150.0.7871.47 or later immediately, as the bug — tracked as CVE-2026-14119 — requires no user interaction beyond having Chrome open and Bluetooth enabled.
What’s Broken — and How the Attack Works
The vulnerability is a type-confusion error inside Chrome’s implementation of the Web Bluetooth API. When the browser tries to handle specially crafted data from a malicious Bluetooth peripheral, it can confuse one data type for another, corrupting memory in a way that allows the attacker to read information they shouldn’t have access to.
In practical terms, a bad actor could walk into a coffee shop, airport lounge, or open-plan office with a small, rogue Bluetooth device — even a reprogrammed off-the-shelf gadget — and attempt to exploit the flaw on any nearby Windows laptop running an unpatched Chrome. The attack is stealthy: the victim sees no pop-up or pairing request. Chrome’s Web Bluetooth API is enabled by default, and many users never touch the settings that control it.
Google’s advisory confirms that an attacker within Bluetooth range can “potentially exploit heap corruption via a crafted Bluetooth device,” leading to information disclosure. The company hasn’t detailed what kind of data might be exposed, but type-confusion bugs in browser rendering engines have historically been powerful enough to leak authentication cookies, session tokens, or even memory contents that could be used to defeat advanced defenses like ASLR. In the worst case, such a flaw can act as a stepping stone to more complete code execution.
What the Patch Changes
Chrome 150.0.7871.47 addresses the root cause — a logic error in how the browser validates the type of a Bluetooth Low Energy (BLE) descriptor before using it. The fix ensures that Chrome no longer trusts data from a remote device without strict sanity checks. Because it’s a server-side style fix — meaning it lives in Chrome’s C++ code, not in JavaScript — simply updating the browser closes the hole; no website visits or user actions are required to trigger the patch.
The release also includes three other security fixes, though Google has not disclosed the CVEs for those to allow users time to update. As always, the stable channel update will roll out gradually over the coming days, but anyone can trigger it manually from the “About Google Chrome” page.
What This Means for You
Home Users
If you use Chrome on a Windows laptop or desktop, open the browser and type chrome://settings/help in the address bar. If the version number shown is anything lower than 150.0.7871.47, click “Relaunch” to finish the update. Closing all Chrome windows and reopening them afterwards ensures the new binary is in memory.
Check that Chrome’s automatic updates are turned on — by default they are, but some power users disable the Google Update service. If you’re not sure, navigate to chrome://settings/help, and confirm it says “Google Chrome is up to date.” On Windows, the Google Update service can be verified by opening services.msc and looking for “Google Update Service (gupdate)” and “Google Update Service (gupdatem)”; both must be set to Automatic and Running.
Once updated, you don’t need to turn off Bluetooth entirely, but the incident is a reminder that leaving Bluetooth on when you’re not using it increases your attack surface. On Windows 11, you can quickly toggle Bluetooth from the Action Center or Settings > Bluetooth & devices.
IT Administrators
For managed fleets, the immediate priority is verifying that Chrome has been updated across all Windows endpoints. The MSI installer for version 150.0.7871.47 is available from the Google Chrome Enterprise download page, and the Group Policy administrative templates have not changed — the existing “Update policy override” setting will pull the latest version from Google’s servers if configured correctly.
Administrators who block the Web Bluetooth API via the DefaultWebBluetoothGuardSetting Group Policy were already immune to this attack, even on older Chrome builds. That policy controls what sites can request Bluetooth access; setting it to “2” (Do not allow any site to request access) defeats the attack vector entirely. Review your GPOs to see if you’re using that mitigation — if not, consider deploying it as a defense-in-depth measure until every machine is patched.
For devices where Chrome can’t be updated immediately (e.g., kiosks, point-of-sale systems), disabling Bluetooth at the operating system level via PowerShell (Set-BluetoothState -Enabled $false on Windows 11) or Group Policy can buy time.
Developers Using Web Bluetooth
If your web application relies on the Web Bluetooth API, audit your permission flow. The vulnerability didn’t require a website to be open that explicitly uses Bluetooth — Chrome’s implementation allowed the bug to be triggered simply by having the browser running — but any site you’ve granted Bluetooth access to could, in theory, be weaponized to carry out a more targeted attack. Revoke permissions for sites you no longer use, and ensure your own site’s error handling degrades gracefully if Bluetooth isn’t available.
Google hasn’t released technical details of how the type confusion manifests, but you can expect a deeper analysis once the majority of users have updated. Check the Chromium issue tracker for a public bug entry that will be unlocked in the coming weeks.
How We Got Here: Chrome, Bluetooth, and the Race to Patch
Type-confusion bugs are a recurring, dangerous class of vulnerability in browser engines. In 2025 alone, Chrome’s release notes documented at least a dozen such flaws, many of them exploited in the wild. They occur when a lump of memory is treated as one object (say, an integer) when it’s really another (a callback pointer), leading to incorrect interpretation that attackers can lever into data reads or code execution.
Chrome’s Web Bluetooth API, first shipped in 2015, has been a relatively quiet attack surface — but not for lack of complexity. The API allows web pages to communicate with Bluetooth Low Energy peripherals after the user grants permission. To make that work, Chrome must parse real-world Bluetooth traffic, a task fraught with the same memory-safety pitfalls that plague browser rendering engines. Google’s Chromium team typically addresses these via its layered sandbox architecture, but sandboxes can’t protect against information disclosures that happen entirely within the renderer process.
CVE-2026-14119 was reported by an external researcher through Google’s bug bounty program; the company hasn’t named the individual yet. The fact that it was patched within the normal 24–48 hour emergency update window suggests that Google doesn’t believe it’s currently under active exploitation, but the company rarely comments on that until well after the fact. Given that the flaw requires physical proximity, widespread exploitation is harder than with remote, web-facing bugs — but targeted attacks against executives or journalists in public spaces remain a credible scenario.
This is the second Bluetooth-specific Chrome patch in 2026; a lower-severity denial-of-service bug was fixed in April (CVE-2026-11247). Windows remains the only affected platform this time around, likely because of differences in how Chrome integrates with the Bluetooth stack on Windows versus macOS or ChromeOS. On Windows, Chrome relies on the WinRT Bluetooth APIs, whereas on other platforms it uses BlueZ or the native Core Bluetooth framework — each with its own parsing nuances.
Your Immediate Action Plan
- Update Chrome now. Go to
chrome://settings/help, let the version check run, and relaunch when prompted. Confirm the build number: 150.0.7871.47 or higher. - Verify auto-update is active. In the same Help page, ensure the message says “Google Chrome is up to date” after relaunching. If it says updates are disabled, see Google’s support article on managing Google Update.
- Check your Web Bluetooth site permissions. Visit
chrome://settings/content/bluetoothDevicesand review the list of sites allowed to access your Bluetooth devices. Remove any that are unfamiliar or unnecessary. - For enterprise admins: deploy the new Chrome MSI, enforce the
DefaultWebBluetoothGuardSettingpolicy to 2 if you can, and audit your fleet’s version compliance using your endpoint management tool. - Consider toggling Bluetooth off when not in use. It’s not a permanent fix, but it reduces your exposure window to zero between now and when you install the update.
What to Watch Next
Google says it may publish a full report on CVE-2026-14119 after the majority of users have updated — typically within a few weeks. Once the Chromium bug is unsealed, expect security researchers to publish proof-of-concept code, which will clarify just how much data a nearby attacker could actually exfiltrate. For now, the smartest move is to close the door before anyone knocks.