Google shipped Chrome version 150.0.7871.47 for Windows and Mac on June 30, 2026, closing a low-severity security hole that could let a remote attacker spoof the browser’s security interface. The flaw, tracked as CVE-2026-14072, resides in the SplitView feature and was publicly documented before the fix landed. While Google rates the threat as low, any UI-spoofing vector undermines the trust users place in the browser’s chrome — the very frame that signals whether a page is safe. Here’s exactly what changed, who’s affected, and why you should update now.
What the Chrome 150 Patch Actually Fixes
The update addresses a single security issue: CVE-2026-14072, described as an “inappropriate implementation in SplitView” that allowed UI spoofing. In practical terms, a crafted HTML page could trick the browser into displaying a fake address bar, security indicator, or other trusted interface elements, making a malicious site appear legitimate. Google’s advisory classifies the bug as low severity, meaning it’s difficult to exploit at scale or requires significant user interaction — but the potential for phishing is real.
Chrome 150.0.7871.47 is now rolling out via the browser’s automatic update mechanism. Windows and macOS users are the only platforms confirmed in the advisory; Linux builds, ChromeOS, and mobile versions were not mentioned, suggesting the bug may be tied to platform-specific SplitView implementations or that those platforms were already protected.
SplitView itself is a desktop feature that lets users view two tabs side by side within a single window. The vulnerability likely allowed a malicious page loaded in one panel to manipulate the visual cues of the browser’s omnibox or other UI elements that span the entire window. Google credited an external researcher with the discovery but did not disclose specific exploitation details, standard practice for newly patched vulnerabilities.
What the SplitView Spoofing Risk Means for You
For everyday Windows and Mac users, the immediate takeaway is straightforward: update Chrome as soon as the restart button appears. Although the severity is low, UI spoofing attacks have historically been used to steal credentials by mimicking banking sites or corporate login pages. If you often use SplitView to multitask — keeping a reference page open while logging into another service — a well-timed attack could overlay a fake login form on the supposedly safe half of your screen.
For Home Users and Non-Technical Workers
- Risk Level: Low, but don’t dismiss it. The bug requires a malicious site to be open in SplitView alongside a target page, which limits broad, automated attacks.
- Likely Scenario: A phishing email with a link that, when opened in SplitView alongside your inbox, could spoof a Google or Microsoft login prompt.
- What to Watch For: Unexpected address bar behavior, mismatched domains in the omnibox, or security indicators that don’t match the site you’re on. If something looks off, close both tabs and restart the browser.
For IT Administrators and Enterprise Environments
- Patch Priority: Immediate, but not emergency. Since the flaw is already documented and assigned a CVE, unpatched browsers are a known target. Attackers often reverse-engineer patches to create exploits.
- Deployment Strategy: Use your endpoint management tools to force Chrome updates to the latest version. You can verify via Chrome’s enterprise policies and version reporting.
- Group Policy Settings: Ensure
AllowChromeVersionSelectionisn’t locking users to an older, vulnerable version. Review any policies that might disable automatic updates.
For Web Developers and Security Researchers
- Technical Context: The flaw is in SplitView’s handling of cross-panel UI isolation. It likely involved inconsistent state management or insufficient origin checks when rendering security-critical UI across multiple web contents in one browser window.
- Cross-Platform Impact: If your application uses SplitView-like interfaces or embedded webviews with shared chrome, review your own UI isolation boundaries. While Chrome’s fix is specific to its desktop browser, the pattern of UI spoofing across multi-view setups could exist elsewhere.
How We Got Here: A Low-Key Vulnerability with Familiar Roots
CVE-2026-14072 fits into a broader pattern of Chrome vulnerabilities that chip away at the browser’s trusted surface — the pixels that tell you whether a connection is secure, who issued the certificate, and what URL you’re actually visiting. UI spoofing bugs have surfaced regularly in Chromium’s history, often tied to new features like picture-in-picture, tab groups, or the side panel.
SplitView, introduced to enhance multitasking, likely added complexity to the browser’s UI rendering pipeline. When two pages share a window, the browser must carefully isolate which page can influence what the user sees in shared elements. A misstep in that logic gave an attacker a sliver of access to the security zone.
Google’s security team flagged the issue after a researcher submitted it through the Chromium bug bounty program. The company publicly documented the bug on the Chrome releases blog on June 30, 2026, alongside the patched version. No reports of active exploitation have emerged, and Google typically reserves its “emergency” label for zero-days exploited in the wild. The low severity rating suggests the company believes exploitation is complex and unlikely to yield mass impact.
Chrome 150 itself arrived on June 24, 2026, marking the browser’s milestone release for the month. The .47 sub-version bump indicates that the security fix was the only change, a common practice for a single CVE patch. Users who had already updated to Chrome 150 (build 150.0.7871.26 or earlier) will receive a small, silent update.
What to Do Now: Step-by-Step Update Instructions
For Individual Users on Windows and Mac
- Check your current version: Click the three-dot menu in the top-right corner, then navigate to Help > About Google Chrome. The version number appears at the top.
- Trigger the update: If you see 150.0.7871.47 or higher, you’re protected. If not, Chrome will automatically begin downloading the update on that screen. Wait for the process to complete, then click Relaunch.
- Verify the patch applied: After relaunch, revisit
chrome://settings/helpto confirm the new version. - Enable automatic updates if they’re off: On Windows, ensure the Google Update service is running (
services.msc). On Mac, check that Google Software Update isn’t disabled in your system preferences.
For IT Admins Managing Fleets
- SCCM / Intune: Push the latest Chrome MSI or use your update ring configurations. The Windows MSI for version 150.0.7871.47 is available in Google’s Chrome for Enterprise download page.
- Jamf / Kandji (Mac): Deploy the updated PKG, and enforce a relaunch policy with a reasonable deadline.
- Verification: Use Chrome’s reporting features or a third-party vulnerability scanner to confirm all endpoints are on the patched version.
- Communicate: Send a brief notice to employees, especially those in finance or HR, reminding them to restart Chrome and be alert for phishing.
Additional Safety Measures
- Disable SplitView if you’re concerned: While there’s no official toggle, you can avoid using the feature until the update is installed. Simply don’t drag tabs into a side-by-side configuration.
- Use Google Password Manager or a passkey: Even if a page is spoofed, autofill won’t work on a mismatched domain, adding a second layer of defense.
- Report suspicious sites: If you encounter a site that appears to be spoofing browser UI, report it to Google Safe Browsing.
Outlook: What to Watch Next
Google will likely publish a more detailed technical post about CVE-2026-14072 on the Chromium security page once most users have updated. That write-up will help developers understand the root cause and avoid similar pitfalls in their own applications. For now, the takeaway is simple: low severity doesn’t mean no risk, especially when the attack can undermine the very interface we rely on to gauge a site’s legitimacy. Keep Chrome updated, and treat any unexpected address bar behavior as a red flag.
Chrome’s rapid release cycle means the next version — 151 — is only weeks away, bringing another round of fixes. In the meantime, the June 30 patch is a reminder that browser security is a constant race, and the best defense for users is hitting that “Relaunch” button the moment it appears.