Google pushed out Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, addressing a medium-severity UI spoofing vulnerability tracked as CVE-2026-13973. The bug could allow a malicious web page to impersonate parts of the browser’s own interface, potentially tricking users into handing over passwords or other sensitive data.
The patch: what’s inside Chrome 150.0.7871.47
The update fixes a single security flaw – CVE-2026-13973 – classed as a “UI implementation” issue. According to Google’s advisory, the bug allowed a crafted site to spoof browser interface elements. The company hasn’t disclosed the exact mechanism, following its standard practice of restricting details until a broad user base has applied the patch. This helps limit the window for attackers to develop exploits based on the public description.
The new build bumps the stable channel from its previous baseline. The version number for Windows is 150.0.7871.47; Mac users get the same string. Google typically rolls out these updates over several days, so the update may not appear instantly for everyone. You can force a check by navigating to chrome://settings/help and triggering an update manually.
What UI spoofing means for everyday browsing
UI spoofing – sometimes called “browser-in-the-browser” or address-bar spoofing – exploits the trust we place in Chrome’s own chrome: the address bar, lock icon, permission prompts, or even the entire window frame. A cleverly designed page can overlay fake elements that mimic the real thing. Imagine clicking a legitimate-looking “Google Sign-In” popup while the actual address bar is hidden. Your credentials go straight to an attacker, but everything appears normal.
CVE-2026-13973 falls into this category. Because it’s rated medium severity, Google believes it’s not trivial to exploit at scale, but the potential for targeted phishing attacks remains high. For Windows users – who make up the bulk of Chrome’s install base – the risk is particularly acute. Windows is already a favorite platform for malware campaigns, and a convincing spoof can bypass user suspicion more easily than a generic lookalike domain.
Business users and IT admins should take note too. In enterprise environments, where single sign-on portals and internal tools rely on Chrome’s trust model, a UI spoof could open the door to credential theft and lateral movement across corporate networks. Even medium-severity bugs can have outsized impact when paired with a targeted phishing email or malicious intranet page.
The broader pattern: browser UI attacks aren’t new
UI spoofing has haunted browsers for years. Chrome itself has patched dozens of similar CVEs, often rated medium or high. The fundamental challenge: browsers must render arbitrary web content while maintaining a clear, trustworthy boundary between that content and the browser’s own UI. Even a one-pixel discrepancy can be exploited by a determined attacker.
Microsoft’s Edge, which shares Chromium’s engine, has faced the same class of bugs. Firefox and Safari have their own histories. The Chromium project’s open-source nature means many eyes scrutinize the code, but also that vulnerabilities are discoverable by anyone – including those with malicious intent. Google’s internal security teams and external researchers regularly report these issues through Chrome’s Vulnerability Reward Program.
The timeline for CVE-2026-13973 isn’t fully public. Typically, a researcher reports the bug privately, Google validates it, develops a fix, and then ships it in a stable channel update. The CVE is assigned and the advisory published after the patch is ready. Since this update arrived outside of Chrome’s usual Tuesday/Thursday patch cadence, it may have been prioritized to head off active exploitation or just because the fix was straightforward.
Immediate steps: protecting your Windows machine
For individuals:
1. Open Chrome.
2. Click the three-dot menu (top-right), go to Help > About Google Chrome.
3. The browser will check for updates and install version 150.0.7871.47 automatically. Relaunch Chrome when prompted.
4. Verify the version by going back to the same About page.
If the update isn’t offered yet, wait a few hours and try again. Chrome’s staggered rollout means some users receive it sooner than others. Avoid downloading Chrome from unofficial sources – always rely on the in-app updater or google.com/chrome.
For IT administrators:
- Use Group Policy or your endpoint management tool to push the update. The Chrome Enterprise policy Update and ApplicationGUID settings can force updates on managed Windows devices.
- Check your deployment tool’s console for the latest Chrome MSI or PKG files; Google usually provides updated installers within 24 hours of a release.
- Consider enabling Chrome’s enhanced security features: the “Enhanced protection” mode under chrome://settings/security can offer additional defense against phishing and malicious sites, though it’s not a substitute for patching.
Additional precautions while the update rolls out:
- Treat any unexpected login prompts with suspicion, even if they appear to come from a familiar browser window.
- Hover over links before clicking and watch the status bar for the actual destination.
- Keep Windows itself updated; Microsoft’s SmartScreen and Defender technologies provide a complementary layer of anti-phishing protection.
A quick history of Chrome 150’s security landscape
Chrome 150 arrived in late May 2026 with a slew of features and the usual batch of security fixes. Since then, Google has released multiple minor updates to patch high-severity vulnerabilities. The 150.0.7871.47 build is the first to address a UI spoofing bug in this version cycle. Users who have been holding back from upgrading to 150 should take this as a signal to move forward – the stable channel is now safer than the previous release.
For Windows specifically, Chrome’s recent improvements in site isolation and sandboxing have reduced the blast radius of many exploits. But UI spoofing remains a class of attack that targets the human rather than the code, so technical mitigations alone can’t fully eliminate the risk.
What’s next
Google will likely publish a technical write-up on the Chromium bug tracker once enough users have updated. Those details will help security professionals understand the attack vector and fine-tune defenses. The next scheduled Chrome stable update will probably include a broader set of fixes, so watch for announcements in the coming weeks.
For Windows users, the message is simple: open Chrome’s About page and install the update. A few seconds of patching is a small price for closing a door that scammers are already trying to pry open.