Google shipped Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, to close a remote-code-execution hole in WebAppInstalls. The National Vulnerability Database assigned the flaw a critical 9.8 CVSS score, while Google’s own advisory listed it as high severity. The gap matters: it signals that attackers have a wider attack surface than Google’s wording suggests, and Windows users who delay the update are leaving a door open.

What actually changed in Chrome 150.0.7871.47

The patch corrects CVE-2026-14104, an input-validation bug in the WebAppInstalls component. WebAppInstalls is the engine that lets websites prompt users to install progressive web apps with a single click. When it parses malformed manifest data, it can trigger a memory corruption that allows an attacker to execute arbitrary code outside Chrome’s sandbox. Google’s advisory confirms that a remote attacker could “potentially exploit heap corruption via a crafted HTML page.” In plain language: you visit a malicious site or a legitimate site carrying a poisoned advertisement, and the attacker’s code runs with the same privileges as your Chrome process.

The update also includes four other security fixes Google is not yet detailing, following its standard practice of withholding bug specifics until a majority of users have updated. For Windows, the patch applies to the 64‑bit and 32‑bit desktop channels; Mac users received an identical fix. The company did not issue a corresponding update for Linux or ChromeOS on the same day, though those platforms share some WebAppInstalls code. Google’s release notes simply state: “[$TBD][364729890] High CVE-2026-14104: Insufficient data validation in WebAppInstalls. Reported by a security researcher on 2026-05-14.” The advisory’s timeline shows the bug was reported in mid‑May and fixed within six weeks.

The severity split: NVD versus Google

The real story for Windows admins is the NVD rating. The National Vulnerability Database, operated by NIST, published its own analysis on July 1 and gave CVE-2026-14104 a CVSS v3.1 base score of 9.8 (Critical). The vector string indicates low attack complexity, no privileges required, and no user interaction beyond visiting a page—exactly the kind of wormable web-browser flaw that government agencies track for rapid exploitation. Google’s internal triage, by contrast, kept the bug at “High,” a label that can slip past C-level dashboards that only flag “Critical” threats. NVD’s independent scoring means the flaw qualifies for mandatory patching under many federal civilian agency mandates, including the Binding Operational Directive 22-01 that requires a fix within 14 days of the NVD publication date. For IT shops that rely on CVSS thresholds to prioritize, the difference between High and Critical determines whether a fix is installed this week or next month.

Google has not publicly explained its scoring methodology for CVE-2026-14104, though it often lowers scores when it believes sandboxing or site isolation mitigations reduce the real-world impact. In this case, however, the bug’s presence in WebAppInstalls—a component that by design interacts closely with the operating system to create shortcuts and app registrations—may weaken those mitigations on Windows. Microsoft’s own security response center has not yet listed the CVE in its advisories, but enterprise defenders should treat this as a browser‑to‑endpoint escalation vector until proven otherwise.

What it means for you: home users, power users, and IT admins

If you’re a home user

You need to restart Chrome. The browser updates itself silently, but the new version only takes effect after a full restart. Too many users keep Chrome open for weeks and never apply security patches. Look at the three‑dot menu, go to Help > About Google Chrome, and let the updater run. You should see version 150.0.7871.47 (or higher) once it finishes. If you don’t see that string, close every Chrome window—including apps that embed Chrome, like Slack or Spotify—and reopen the browser. Check the version again. You’re looking for “150.0.7871.47” on the first line.

While you’re there, confirm that Safe Browsing is turned on (Settings > Privacy and security > Security > Standard protection). It won’t stop a zero‑day, but Google sometimes adds detection for in‑the‑wild exploitation through the Safe Browsing feed. Also, keep Windows Update current: the combination of a patched browser and a patched OS closes more attack chains.

If you’re a power user or developer

You likely run Chrome Canary or Dev channel separately. Those channels may have received the fix days or weeks earlier, but check anyway. Extension developers who listen to webAppInstall events should audit their code for any error‑handling gaps; the bug involves improper validation of manifest fields, so your own service workers might be processing something dangerous before Chrome’s fix kicks in. If you manage your own group policy for Chrome, add update‑pinning rules to force everyone to version 150.0.7871.47 within 24 hours. The Chrome Enterprise policy list supports TargetChannel and TargetVersionPrefix—set it today.

If you’re an IT administrator

This CVE fires on three separate dashboards: your vulnerability scanner, Microsoft Defender for Endpoint’s browser‑assessment rules, and whatever third‑party patch‑management tool you use. The NVD’s 9.8 score ensures it will appear at the very top of your weekly patch report. Don’t fall into the “Chrome auto‑updates, so I don’t need to act” trap. On managed Windows endpoints, Chrome’s updater can be blocked by restrictive firewall rules, per‑machine installs that lack user‑context elevation, or machines that have simply been off for weeks. Use your endpoint management tool to push a version check script: Get-ItemProperty 'HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome' (adjust path if 32‑bit) and confirm the DisplayVersion is 150.0.7871.47 or higher. For macOS, query the CFBundleShortVersionString in /Applications/Google Chrome.app/Contents/Info.plist.

If your organization blocks Chrome updates to test compatibility, lift the block for this specific version. Google’s release notes report no breaking API changes, and the change‑log diff is small. Enterprise sites that depend on PWAs should immediately test their offline manifests against the patched version in a staging environment, as the input‑validation fix could theoretically reject manifest fields that were previously tolerated. So far, no developer reports of broken PWAs have surfaced, but a quick smoke test is prudent.

For security operations center teams, add a detection rule for any browser process spawning unexpected child processes after visiting a site that presents a web‑app‑install prompt. The post‑exploitation behavior of similar Chrome RCEs often involves cmd.exe or powershell.exe being launched by chrome.exe with a suspicious command line. Any such event on a machine running a Chrome version below 150.0.7871.47 warrants immediate isolation.

How we got here

Chrome 150 arrived in May 2026 as a feature release, bringing a redesigned password manager and a built‑in PDF‑annotation tool. WebAppInstalls received an overhaul in Chrome 148 to support richer installation dialogs with custom icons and short‑name truncation—changes that expanded the component’s attack surface. The researcher who reported CVE-2026-14104 spotted the flaw in the parsing logic for those richer manifests and demonstrated a proof‑of‑concept that could corrupt heap memory via a tampered manifest.

Google’s timeline shows the usual fast‑paced cycle: a report on May 14, a fix by late June, and a stable‑channel ship on June 30. The company held the CVE assignment for over a month to give users time to update, but the NVD’s rapid publication on July 1 erased that head start. Historically, Chrome vulnerabilities rated 9.8 by NVD have been exploited in the wild within two weeks of disclosure. CVE-2025-2783, a similar WebAppInstalls RCE from last year, saw active attacks within four days. The Cybersecurity and Infrastructure Security Agency is expected to add CVE-2026-14104 to its Known Exploited Vulnerabilities catalog shortly, which starts a 14‑day clock for federal civilian agencies—and a best‑practice recommendation for everyone else.

Windows users are the primary target because WebAppInstalls on Windows creates Start‑menu shortcuts and interacts with the Windows registry more deeply than on macOS, where the sandbox architecture limits some of these operations. The NVD specifically calls out Windows and Mac as affected, while Linux and ChromeOS are absent from the advisory, implying the vulnerable code path might be platform‑specific or mitigated elsewhere.

What to do now

For everyone
1. Restart Chrome. This is the single most effective action. No update is applied until the browser restarts. Check chrome://settings/help to verify.
2. Enable auto‑update. If you’ve disabled Chrome’s updater for any reason, re‑enable it immediately. Visit chrome://settings/help and make sure “Automatically update Chrome for all users” is not blocked by policy.
3. Watch for strange browser behavior. If Chrome suddenly asks to “install” a site you weren’t expecting, or if a prompt appears without your clicking an install button, close the tab. Novel exploitation might use fake PWA install prompts as a lure.

For IT admins
1. Force the update via group policy. Use the GoogleUpdate ADMX templates to set a minimum version policy: Update > Applications > Google Chrome > Target version prefix override set to 150.. Combine with Update policy override set to Always allow updates.
2. Scan your network for outdated versions. A quick PowerShell sweep:
powershell $hostnames = Get-Content “C:\\computers.txt” Invoke-Command -ComputerName $hostnames -ScriptBlock { $chrome = Get-ItemProperty “HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome” -ErrorAction SilentlyContinue if ($chrome.DisplayVersion -lt “150.0.7871.47”) { Write-Output “$env:COMPUTERNAME needs update” } }
3. Block execution of older versions. For critical assets, use AppLocker or Windows Defender Application Control to deny chrome.exe if the file version is below 150.0.7871.47. This is extreme, but it’s the surest way to prevent an unpatched browser from running.
4. Prepare for CISA’s KEV addition. If your organization is federal, or follows federal guidelines, start the 14‑day clock now. Even private organizations should target a 48‑hour patch window for a browser RCE this severe.

For developers
1. Update Electron apps. If you ship an Electron‑based application that embeds a Chrome engine older than 150.0.7871.47, rebuild and release immediately. End‑users often don’t realize their “installed app” is a vulnerable browser.
2. Review your PWA manifests. While the fix is on the client side, cleaning up any non‑standard or oversized fields in your manifest reduces the chance that an unpatched client gets exploited while visiting your site.

Outlook

Google will likely publish a more detailed technical blog post on CVE-2026-14104 within the next two weeks, once the update reaches 90% adoption. Expect additional patches for ChromeOS and Linux, plus a Samsung Internet and Microsoft Edge update since both Chromium‑based browsers inherit WebAppInstalls code. Edge’s integrated PWA platform makes it just as vulnerable; Microsoft has not yet published its advisory, but a rapid follow‑up is certain.

The wider lesson is that Chrome’s internal severity ratings don’t always match federal scoring. When NVD and Google diverge, trust the higher score for your risk assessment. For Windows users, this is a no‑drama fix: restart your browser today. For IT teams, the 9.8 rating should override any “High” classification that might let the patch slip into a lower‑priority bucket. Bookmark chrome://version and make a habit of checking it every Monday morning.