Google has issued an urgent Chrome update for macOS that closes a use-after-free vulnerability in the browser’s USB handling code. Tracked as CVE-2026-13880, the flaw could let a remote attacker break out of Chrome’s hardened sandbox, potentially seizing control of the underlying system. Users on Mac are urged to immediately install version 150.0.7871.47.

The Vulnerability at a Glance

CVE-2026-13880 is a use-after-free memory corruption bug that resides in the way Chrome on macOS manages USB device connections. When a user visits a specially crafted website or connects a malicious USB device, the error can be triggered. If successfully exploited, an attacker could escape Chrome’s sandbox — a critical security boundary that usually contains any damage to the browser process itself.

Google’s advisory, released alongside the stable channel update, classifies the vulnerability as high severity. It was discovered and reported by an external security researcher, though details remain limited to give users time to patch. The Common Vulnerability Scoring System (CVSS) score is not yet public, but sandbox escapes in widely used software routinely top 8.5 on the 10-point scale.

What Changed in Chrome 150.0.7871.47

The update that addresses CVE-2026-13880 is the latest stable channel release for macOS. The full version number is 150.0.7871.47, and it contains the security fix along with other routine improvements. Google typically refreshes Chrome on all desktop platforms simultaneously; however, the advisory explicitly marks only macOS as affected. Windows and Linux builds of the same version may ship with unrelated fixes, but the USB bug is reportedly a macOS-specific issue.

Chrome’s release notes highlight the single CVE, which is unusual: most stable channel updates bundle multiple security patches. The narrow focus signals both the severity of this particular bug and the urgency of the fix. Google is likely still investigating whether the same vulnerable code path exists on other platforms but cannot yet be exploited there.

What It Means for Mac Users

If you’re running Chrome on a Mac, the short answer is: update right now. A sandbox escape in a browser is one of the most dangerous categories of software vulnerability. Normally, Chrome’s sandbox isolates web content from the operating system, preventing a compromised renderer from installing malware, stealing files, or snooping on other tabs. When that barrier fails, a single visit to a malicious site could hand remote attackers a foothold on your entire machine.

The USB angle adds another layer of risk. Attackers could use phishing emails or social media links to direct users to a site that activates the flaw, or they could plant a weaponized USB device in a public space, hoping someone plugs it in while Chrome is open. Because the bug lives in the browser, even fully patched macOS systems remain vulnerable until Chrome itself is updated.

Notably, this vulnerability does not appear to affect Chrome’s content settings or macOS’s own USB restrictions. The sandbox escape occurs inside Chrome’s process, so it bypasses normal permission prompts. This makes the attack stealthy — users may have no indication their system has been compromised.

A Wider Lesson for All Chrome Users

Windows and Linux users are not directly exposed to CVE-2026-13880, but they shouldn’t tune out. The episode underscores how the very features that make software extensible — like USB device APIs — can introduce unexpected attack surface. Chrome’s multi-platform codebase means a bug discovered on one OS often has cousins on others. In fact, Google’s advisory notes that further investigation into cross-platform impact is ongoing. All Chrome users should adopt a simple rule: whenever a new stable version appears, update within 24 hours.

Enterprise administrators who manage Chrome on employee Macs will need to push this update through their usual distribution channels. Because sandbox escapes can break down the boundaries between work and personal data on BYOD machines, the risk is especially high in corporate environments. Patching should be prioritized over typical browser update cycles.

How We Got Here: Use-After-Free in USB Code

Use-after-free bugs have plagued software for decades. They occur when a program continues to reference memory after it has been freed, leading to crashes or, in skilled hands, arbitrary code execution. In the context of Chrome, such flaws are prime candidates for sandbox escape because they can corrupt memory in the browser process itself, potentially overwriting pointers or function tables that guard security boundaries.

Chrome’s USB support, introduced several years ago, enables web apps to talk to connected devices like printers, security keys, and external storage. It’s a complex API that must juggle permissions, device enumeration, and data transfer while respecting the sandbox. An attacker who can trigger a use-after-free during device disconnection or reconnection could jump from the confined web process to the browser’s privileged UI process, and from there to the OS.

This isn’t the first time Chrome’s USB stack has drawn scrutiny. In 2025, researchers at Google’s Project Zero disclosed a series of logic bugs in the WebUSB implementation that could have allowed drive-by attacks. More broadly, browser sandbox escapes have become rarer but remain the holy grail for attackers, often commanding million-dollar bounties and appearing only in sophisticated, targeted campaigns.

Chrome’s security team has built several layers of defense against such attacks, including site isolation, V8 hardening, and the MiraclePtr memory protection. However, the discovery of CVE-2026-13880 shows that no single line of defense is impenetrable. The bug was likely unearthed through fuzzing — automated tools that hammer the USB code with malformed inputs — or by a sharp-eyed researcher auditing the code.

Immediate Steps: How to Update

Updating Chrome on macOS is straightforward:
1. Open Chrome.
2. Click the three-dot menu in the top right, then go to Help → About Google Chrome.
3. The browser will automatically check for updates and download version 150.0.7871.47.
4. After the download completes, click Relaunch.

If you don’t see the update immediately, wait a minute and check again; staged rollouts sometimes cause delays. You can also download the latest installer directly from google.com/chrome.

For system administrators, the enterprise MSI or PKG installer for Chrome 150.0.7871.47 should be deployed via your management console. Stricter environments should consider forcing an update policy that pulls from the stable channel regularly.

After updating, verify the version by navigating back to About Google Chrome. The version number should end in .47. If it doesn’t, the update hasn’t applied; restart the browser or your Mac and try again.

The Road Ahead

Google typically waits a few weeks before publishing technical details of a patched vulnerability. That disclosure will reveal whether the bug was ever exploited in the wild. For now, there are no confirmed reports of active attacks, but the window between disclosure and exploitation is narrowing. Mac users who delay this update are gambling with a weaponized proof-of-concept likely appearing within days.

Longer-term, Chrome’s security team may reassess how USB operations interact with the sandbox, possibly breaking out dangerous functions into separate, more isolated processes. For users, the best defense remains constant vigilance: apply updates the moment they’re available, run a reputable ad blocker to reduce exposure to malicious code, and treat any unexpected USB device with suspicion.

The broader trend is clear: as browsers evolve into full-fledged application platforms, their attack surface grows. Each new API — WebUSB, WebGPU, WebBluetooth — opens fresh possibilities for researchers and attackers alike. CVE-2026-13880 is a reminder that security is a moving target, and even the most hardened software needs rapid, consistent patching.