Google this week released Chrome for iOS version 150.0.7871.47, which includes a fix for a medium-severity vulnerability that could allow attackers to trick users with spoofed interface elements. The bug, tracked as CVE-2026-13981, is a UI-spoofing issue that could be exploited by a remote attacker using crafted HTML.
The update is now rolling out through Apple’s App Store, and all Chrome for iOS users are strongly advised to install it immediately.
What exactly changed?
CVE-2026-13981 is a medium-severity vulnerability in the Chrome for iOS codebase. According to Google’s advisory, the flaw could allow a remote attacker to "present misleading interface information to a user." In practical terms, this means a specially crafted website or HTML file could alter the appearance of Chrome’s user interface — for instance, the address bar, buttons, or pop-up dialogs — without the user’s knowledge.
Such spoofing can be used in phishing attacks. An attacker could, for example, make a malicious site look like a legitimate banking login while displaying a fake secure lock icon and URL. Because the deception occurs at the browser UI level, even carefully trained individuals might be misled. The vulnerability is rated medium because it doesn’t directly execute code or steal data, but it can be a powerful tool in social engineering.
The update to Chrome for iOS 150.0.7871.47 patches this bug. As is standard practice, Google hasn’t released full technical details to prevent attackers from exploiting the flaw before most users have updated. The vulnerability was reported by an external researcher, though Google hasn’t disclosed the name or whether a bounty was awarded.
What it means for you
For everyday users: If you use Chrome on an iPhone or iPad, you are vulnerable until you update. The risk is moderate — you would need to visit a malicious website or open a crafted HTML file for this to be exploited. However, given how often we all click links in emails, messages, or social media, an update is strongly recommended. The fix also includes other unspecified stability and performance improvements.
For IT administrators: Enterprise and education environments relying on Chrome for iOS should push this update to managed devices as soon as possible. Even a medium-severity spoofing flaw can enable credential theft, especially when combined with well-crafted phishing campaigns. Many mobile device management (MDM) solutions allow forcing app updates, so verify your policies. Also, ensure your users know to watch for unexpected browser UI changes and to report anything suspicious.
For developers: If you test web applications on Chrome for iOS, update your test devices to the latest version to ensure no unexpected behavior from the patch. There are no known breaking changes, but consistent testing is wise.
How we got here
UI spoofing bugs are a recurring challenge for all browsers. In recent years, both desktop and mobile browsers have grappled with flaws that let attackers mimic address bars, security indicators, or system dialogs. Chrome for iOS is particularly noteworthy because, unlike the desktop version, App Store policies force it to use Apple’s WebKit rendering engine. This means Chrome’s UI is a separate layer built on top of WebKit, and bugs in that UI code can lead to spoofing that would not be possible in a full-stack browser like Safari.
CVE-2026-13981 is only one of many security fixes Google rolls out each month. Chrome typically receives updates every few weeks, with critical patches frequently breaking 100 fixes. This specific medium-severity flaw may have been discovered by a researcher participating in Google’s Vulnerability Reward Program, though details haven’t been confirmed. The CVE number indicates it was assigned in 2026, and given the March release, it’s likely part of a routine stable channel update.
Historically, UI spoofing in mobile browsers has been used in targeted attacks, such as those aiming to steal corporate credentials or banking information. Because mobile screens are small, many users are less likely to scrutinize URL bars or security indicators. That makes these bugs especially dangerous, even when they don’t allow direct data theft.
What to do now
Updating Chrome on your iPhone or iPad is simple:
- Open the App Store.
- Tap your profile icon in the top right corner.
- Scroll down to find Chrome in the list of pending updates, or pull down to refresh.
- Tap Update next to Chrome. If the button says Open, you’re already running the latest version.
You can verify the installed version by opening Chrome, tapping the three-dot menu (bottom right on iPhone, top right on iPad), going to Settings > About Chrome. The version should read 150.0.7871.47 (or later).
If you don’t see the update immediately, try these steps:
- Restart your device.
- Check your internet connection.
- Ensure you have enough free storage.
- Manually search for “Chrome” in the App Store and look for an Update button on the app page.
For those managing iOS devices in an organization, confirm your MDM policies are pushing app updates automatically or schedule a manual push. Also, advise your users to be alert for any unusual browser behavior, such as address bars that don’t match the expected website or unexpected pop-ups asking for passwords.
Outlook
As Chrome continues to dominate the browser market, its UI layer will remain a prime target for researchers and attackers alike. Google’s rapid patching cycle is reassuring, but no software is immune to these subtle, user-facing flaws. The shift toward more sophisticated phishing and social engineering attacks makes UI integrity more critical than ever.
Apple’s own Safari browser on iOS benefits from deep system integration and sandboxing, but Chrome’s popularity — especially among users who sync across platforms — makes it a key vector. Users should keep automatic updates enabled for all apps, not just Chrome, and stay vigilant about unsolicited links.
Google has not indicated that this vulnerability is being actively exploited in the wild, but as always, the safest course is to update immediately. The next Chrome for iOS release will likely bring further security enhancements, and we’ll continue to monitor for any new developments.