Google disclosed a medium-severity vulnerability in Chrome’s Cast component on June 30, 2026, that could allow websites to extract details about your local network—think internal IP addresses, device names, and active services. The flaw, tracked as CVE-2026-13940, affects all Chrome versions prior to 150.0.7871.47, and while Google says it hasn’t seen active exploitation, the fix merits immediate attention from anyone who uses the browser.

The Cast Component’s Memory-Handling Flaw

CVE-2026-13940 is an uninitialized-use bug in the way Chrome’s Cast component manages memory. When a program fails to properly initialize a memory region before reading from it, leftover data from previous operations can leak out. In this case, the leaked memory contained information about the user’s local network—data that Cast routinely collects to discover and communicate with nearby devices like Chromecasts, smart displays, or other casting targets.

The upshot: a malicious website that exploited this flaw could harvest your internal IP addresses, device names, or even open port information without you ever clicking a dialog or accepting a permission prompt. An attacker couldn’t break into your devices directly, but network reconnaissance is often the first step in a targeted attack. Knowing your internal infrastructure lets an adversary tailor phishing campaigns, spot vulnerable IoT devices, or prepare for lateral movement in a corporate setting.

Google classified the vulnerability as medium severity, not because the impact is trivial, but because exploiting it requires user interaction (visiting a compromised page) and doesn’t grant code execution on its own. Still, for anyone on a shared or unsegmented network—especially in enterprise, education, or healthcare environments—the risk is real.

Who Is Affected?

The bug resides in Chrome’s cross-platform Cast implementation, so all desktop platforms are impacted. Chrome 150.0.7871.47 rolls out the patch for Windows and Mac first; Linux and Android builds follow shortly as part of the same stable channel update. If you haven’t restarted Chrome in the last few days, your browser is almost certainly running an older, vulnerable version.

Google’s advisory marks the vulnerability as exploitable only via the renderer process, meaning an attacker would need to escape Chrome’s sandbox to do deeper harm. But information leaks that bypass the sandbox—like this one—are exactly the kind of breadcrumbs that advanced persistent threat actors and ransomware groups use to profile targets. For the typical home user, the immediate threat is low, but for IT administrators managing fleets of Windows endpoints, this is a patching priority.

How We Got Here

Chrome’s Cast protocol works by using mDNS and SSDP to scan the local network for devices that advertise themselves as casting endpoints. This discovery process involves collecting raw network packets that may contain device names, IPs, and service banners. When Chrome’s Cast component didn’t properly clear a memory buffer before reusing it, those network details remained in memory and became readable by a web page—essentially a classic information disclosure through uninitialized memory.

This isn’t the first time Chrome’s local network scanning has raised flags. Over the years, researchers have warned that overly permissive network APIs in browsers can erode privacy. Google has gradually tightened controls, requiring user permission for certain WebRTC scanner calls and adding an explicit “Local Network Access” setting. CVE-2026-13940 sits in the messy overlap between the operating system’s network stack, Chrome’s memory management, and the Cast subsystem’s aggressive discovery logic.

The timeline from discovery to patch was swift. Google’s security team received the report through its Vulnerability Reward Program on June 12, 2026, triaged it within 48 hours, and merged the fix into the Chrome 150 branch a week later. The stable channel update went live on June 30. Because the bug was reported externally, details remain limited until more users have updated.

What To Do Now

For Everyone: Update Chrome Immediately

The single most important action is to update to Chrome version 150.0.7871.47 (or later). Chrome updates itself automatically in the background, but the browser must be restarted for the new binaries to load. Here’s how to force the update:

  1. Open Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Go to Help > About Google Chrome.
  4. Chrome will check for updates and begin downloading if a new version is available.
  5. Click Relaunch once the download completes.

After relaunching, confirm the version by returning to the About page. It should read 150.0.7871.47 (or higher). If you see any older number, repeat the process—corporate Group Policy settings or third-party update managers might be blocking the update.

For Windows Users Specifically

Windows users often run multiple browsers, but Chrome’s Cast integration is uniquely tied to the OS’s network discovery services. On Windows, Chrome uses the UPnP and Web Services Dynamic Discovery (WS-Discovery) protocols, which can produce even richer network information than on macOS. That makes the Windows client a slightly juicier target. The patch addresses the root cause in Chrome’s code, so no OS-level changes are required, but if you ever use Chrome to cast to a Windows-connected device (like a Miracast display or a media server), you’re squarely in the affected zone.

For IT Administrators

Enterprises that manage Chrome via Group Policy, MDM, or the Chrome Browser Cloud Management console should push the update to all managed devices immediately.

  • Group Policy: Download the latest administrative template bundle for Chrome 150 and update your GPOs to deploy the MSI installer for version 150.0.7871.47. Ensure the “Allow Chrome to automatically update” policy is not blocked.
  • MDM / Jamf / Intune: Distribute the updated MSI/PKG through your software deployment pipeline. Force a browser restart after installation.
  • LTS releases: If you’re on the Chrome 150 LTS track, the fix will arrive in the next cumulative LTS update, but you can temporarily switch to the stable channel to get protection sooner.
  • Network segmentation: As a defense-in-depth measure, review whether endpoints that handle sensitive data should really be on the same VLAN as IoT devices and smart displays. Limiting Cast’s discovery scope via firewall rules won’t fix the memory bug, but it reduces the amount of local network data an attacker could extract.

Google’s advisory lists no workarounds short of the full patch. Disabling the Cast component entirely via command-line flags (--disable-cast or enterprise policies) would prevent the leak, but it also breaks all casting functionality. For most users, patching is the practical route.

Outlook

Chrome 150 was already a significant release, bringing improvements to Performance Detection and a revamped download UI. CVE-2026-13940 underscores a persistent tension in modern browsers: the features we love often come with expanded attack surface. As Cast and similar discovery protocols become more baked into Chrome’s architecture, the sandbox team will need to tighten memory isolation further. Expect Google to accelerate the shift to memory-safe languages like Rust in these low-level networking components.

In the short term, the usual post-patch cycle will play out. Security researchers will reverse-engineer the fix and publish proof-of-concept code within weeks, making unpatched installations ever more dangerous. The June 30 update also includes patches for several other CVEs, so even if you discount the Cast bug, you have plenty of reasons to restart Chrome today.

For Windows users and admins, the message is clear: check your Chrome version now, hit update, and keep an eye on the Chrome Releases blog for any follow-up advisories. A medium-severity memory bug that leaks local network topology might not make national headlines, but in the wrong hands, it’s a precise targeting tool. Patch fast, and don’t let a quiet Patch Tuesday fool you into complacency.