Google has shipped an urgent update for Chrome on iOS, closing a vulnerability that could let snoops with momentary access to your unlocked iPhone or iPad extract potentially sensitive information. The patch, brought in version 150.0.7871.47, addresses a medium-severity race condition tracked as CVE-2026-13905. If you use Chrome on an Apple mobile device, you’ll want to install this update without delay.

What the Patch Addresses

CVE-2026-13905 is a race condition in Chrome for iOS. In simple terms, a race condition happens when the browser tries to do two things at once, and an attacker can slip in and interfere with the sequence to force unintended behavior. In this case, a local attacker with physical access to the device could exploit that timing flaw to obtain potentially sensitive information.

Google hasn’t disclosed exactly what kind of data is at risk—a common industry practice to give users time to patch before attackers reverse-engineer the fix. But a flaw labeled “potentially sensitive information” in the context of a browser suggests that something like cookies, saved passwords, autofill data, or browsing history could be exposed. Because the attack requires physical access, the clearest danger comes from a lost or stolen device, or a brief moment when someone else handles your unlocked phone.

The medium-severity rating reflects that the vulnerability is serious but not wormable or remotely exploitable. That doesn’t make it harmless. In the wrong hands, even a few seconds of physical access could be enough to run a script that swipes data before you notice.

Who Is Affected and What’s at Stake

Every Chrome for iOS user running a version older than 150.0.7871.47 is vulnerable. If you already have auto-update enabled in the App Store, you might already be protected—but it’s worth verifying manually. The update is rolling out globally and should be available to all users right away.

For home users, the risk is straightforward. If your iPhone or iPad is stolen, a thief who gets past the lock screen (or already has physical access while the device is unlocked) could potentially siphon out sensitive data from Chrome. Even in less criminal scenarios—a nosy family member, a repair shop with lax practices—the vulnerability could be a privacy risk. The fix is small, quick, and costs nothing but a moment of your time.

For IT administrators managing company-owned iOS devices, the stakes are higher. Chrome is often used on enterprise iPhones and iPads to access corporate web apps, and the browser may store authentication tokens or internal URLs in its local data. A compromised device could expose more than personal information. Pushing this update via mobile device management or strongly urging employees to update manually should be a priority.

Developers testing web applications on iOS should also update immediately. Even if Chrome isn’t your primary test browser, it’s still widely used, and any device with developer profiles or internal tools that also runs Chrome could become a weak link.

The Broader Context of iOS Browser Security

Chrome for iOS sits in a unique position. Because of Apple’s restrictions, all browsers on iOS must use the system-provided WebKit rendering engine. In that sense, Chrome’s core web rendering is identical to Safari’s. But Chrome wraps that engine in its own layer of features: syncing with Google accounts, password management, voice search, and a host of other integrations. That extra layer means Chrome has its own attack surface, separate from WebKit.

This isn’t the first time Chrome on iOS has needed a security patch. Google regularly updates the browser across all platforms, often patching dozens of vulnerabilities in each release. What makes CVE-2026-13905 noteworthy is the physical-access requirement—most browser bugs are exploited remotely through malicious websites. A local attack vector changes the threat model and grabs attention because it means the barrier to exploitation is as low as someone picking up your phone.

The medium severity also tells a story. Google’s severity scale accounts for the worst-case scenario under realistic conditions. A remote code execution flaw would normally be high or critical. This one requires physical proximity and an unlocked or already-compromised device, so it lands in the medium bucket. That doesn’t signal it’s ignorable; it signals that ordinary caution—like not handing an unlocked device to strangers—already reduces risk, but the bug still needed closing.

Apple’s own iOS security model adds another layer. App sandboxing should, in theory, prevent Chrome from exposing data that other apps could read. But the vulnerability is inside Chrome’s own process, meaning the attacker stays within Chrome’s sandbox and accesses data Chrome itself can see. So the fix had to come from Google, not Apple.

How to Update Chrome on Your iPhone or iPad

Updating is simple and takes about a minute. Here’s exactly what to do:

  1. Open the App Store on your iPhone or iPad.
  2. Tap your profile icon in the top-right corner.
  3. Scroll down to the list of available updates until you find Chrome.
  4. Tap “Update” next to the Chrome listing. If you only see “Open,” Chrome is already up to date.
  5. To double-check the version, launch Chrome, tap the three-dot menu icon (bottom right), go to Settings > Google Chrome, and look at the version number. It should read 150.0.7871.47.

If you don’t see the update yet, you can refresh the updates list by pulling down on the screen. Sometimes updates take a few hours to propagate across Apple’s servers, but Google typically makes them available immediately.

For those who prefer automatic updates, make sure “App Updates” is enabled in Settings > App Store. That way, you’ll get security patches as soon as your device is on Wi-Fi and charging. Even with auto-update on, it’s worth manually checking now—auto-update can be delayed by days.

After updating, it’s good practice to fully close Chrome (swipe up from the app switcher) and reopen it. This ensures the old vulnerable code isn’t still hanging on in memory.

The Road Ahead for Chrome on iOS Security

Google typically reserves full technical details of vulnerabilities for a few days or weeks after the patch ships. As more information emerges, we’ll learn exactly how the race condition worked and what data an attacker could have obtained. That deeper analysis sometimes leads to related security improvements in subsequent releases.

For now, the key takeaway is that mobile browsers need the same vigilance as their desktop counterparts. iOS users often assume the platform’s walled garden makes them immune, but Chrome’s own complexity—and its massive user base—means it remains an attractive target. Keep auto-update turned on, and when a CVE like this one surfaces, don’t sleep on the patch.

Google hasn’t indicated that this vulnerability is being actively exploited in the wild. But with millions of Chrome installations on iOS, it’s only a matter of time before proof-of-concept code circulates. Patching early is the difference between being a potential victim and being protected.