Google has shipped a security patch for Chrome on macOS to close a critical use-after-free vulnerability in WebUSB that could let a local attacker run arbitrary code by connecting a malicious USB peripheral. The fix lands in version 150.0.7871.47, and macOS users should install it immediately—especially those who regularly work with external devices like USB drives, hardware keys, or debugging tools.
What actually changed
The patched version, Chrome 150.0.7871.47 for macOS, addresses CVE-2026-13778, a use-after-free memory bug in the WebUSB implementation. WebUSB is a browser API that allows web applications to communicate with USB devices directly from a web page, without requiring a native driver. It’s used by Chrome extensions and websites for firmware updates, hardware configuration, and specialized tools.
A use-after-free occurs when a program continues to reference memory after it has been deallocated. Attackers who can manipulate that dangling pointer may redirect execution to their own code. In this case, because the vulnerability resides in WebUSB, exploitation requires the attacker to physically connect a specially crafted USB device to the target machine. That means the attack is local—someone has to plug in a hostile peripheral—but it does not require any user interaction beyond that initial connection.
Google’s advisory classifies the flaw as high severity. The company hasn’t disclosed the full technical details yet, which is standard practice while users have time to update. Browsers that share the Chromium engine, such as Microsoft Edge, Brave, and Opera, may also be affected if they enable WebUSB, though the immediate patch is delivered through Chrome’s own update channel.
What it means for you
If you’re a macOS user
You’re the direct target of this fix. Visit chrome://settings/help (type it in the address bar) to trigger an update check. Once Chrome restarts, you should see version 150.0.7871.47 or later listed in the About page. If you manage multiple Macs at work, deploy the update through your standard patch management tools.
Real-world exploitation would likely require you to insert an unfamiliar USB device—something left in a parking lot, handed out at a conference, or even plugged in by an intruder with brief physical access. This isn’t a drive-by download; it demands proximity. But for anyone who handles unknown gear (think IT staff, hardware reviewers, or journalists), the risk is tangible.
If you’re a Windows or Linux user
The CVE is explicitly tagged as macOS-only in Google’s advisory. That doesn’t mean the threat is irrelevant to you. WebUSB exists on all desktop Chrome installations, and similar use-after-free bugs have appeared across platforms in the past. Windows users who run Chrome or Chromium-based browsers should take this as a reminder to keep their browser updated and to be just as cautious with unknown USB devices.
IT administrators can harden their fleet by disabling WebUSB unless absolutely needed. In Chrome, you can turn it off via chrome://flags/#webusb or through GPO/enterprise policy on managed devices. The policy is named DefaultWebUsbGuardSetting; setting it to 2 blocks WebUSB entirely.
If you’re a developer
If your web application or extension relies on WebUSB, test it against the updated browser immediately. The patch shouldn’t alter the API’s behavior, but Google occasionally tightens security checks that could affect legitimate use cases. Review the Chrome Platform Status page and the WebUSB specification to stay current.
How we got here
WebUSB debuted in Chrome 54 back in 2016 as an easy way to connect microcontrollers, 3D printers, and other USB gadgets to the web. It eliminates the need for a separate desktop app, but it also brings a powerful capability—direct hardware access—into the browser’s attack surface. Every memory-management flaw in that code path becomes a potential foothold for attackers.
Use-after-free bugs have plagued Chromium for years. Google’s internal analysis shows that use-after-free vulnerabilities account for a significant share of the critical bugs patched in Chrome each cycle. The root cause is often the complex manual memory management in C++ code. While Google invests heavily in remediation—Migrate to safer languages like Rust, smart pointer adoption, and fuzz testing—legacy code like the WebUSB stack still runs largely on C++.
This isn’t the first WebUSB-related security fix. In 2023, Chrome patched a heap buffer overflow in WebUSB (CVE-2023-0123), and earlier issues involved input validation failures that could leak data. The recurring pattern suggests that any feature offering raw device access will continue to attract scrutiny.
Interestingly, Microsoft’s Edge team initially shipped WebUSB on by default but later disabled it by default in Windows versions due to security concerns, while still allowing users to re-enable it. As of Edge 95, the feature is off unless explicitly turned on. That decision underscores the tension between capability and risk.
What to do now
- Update Chrome on all macOS machines. Open Chrome, click the three-dot menu, choose Help > About Google Chrome, and let it download and install the update. Restart the browser to complete the process.
- Verify the version. Type
chrome://versionin the address bar and confirm the first line shows 150.0.7871.47 or higher. - Audit your USB hygiene. Treat unknown USB devices with suspicion. Never plug in a drive or peripheral that you didn’t buy yourself or obtain from a trusted source.
- Disable WebUSB if you don’t need it. Navigate to
chrome://flags/#webusband set the flag to Disabled. Restart Chrome. This eliminates the attack surface for this particular class of bugs. - For IT administrators: push the update via your patching tool (Jamf, Intune, etc.). Consider setting the
DefaultWebUsbGuardSettingpolicy to block WebUSB on managed browsers unless a specific business need exists. - Stay informed. Bookmark the Chrome Releases blog and the NVD (National Vulnerability Database) page for Chrome advisories. Sign up for Google’s security bulletin mailing list.
- Watch for similar threats on other Chromium browsers. Check if your organization uses Edge, Brave, or Opera on macOS, and verify their update status—they may incorporate this fix on their own release cadence.
Outlook
Local attacks via USB are rare but highly effective when they succeed. As long as browsers expand their hardware access footprint, use-after-free and similar memory bugs will remain a concern. Google’s fix is fast, but the onus is on users and IT teams to apply it before attackers reverse-engineer the patch and craft exploits. In the longer term, we’ll likely see more Chromium components rewritten in memory-safe languages, reducing the occurrence of these low-level flaws. For now, the lesson is simple: keep your browser up to date, and think twice before plugging that stray USB stick into your Mac.