Google disclosed a critical security vulnerability in the iOS version of its Chrome browser on June 30, 2026, and the fix is already available. The flaw—tracked as CVE-2026-14099—could allow a remote attacker to compromise an iPhone or iPad after tricking the user into a simple on-screen interaction. If you use Chrome on an Apple mobile device, you need to update to version 150.0.7871.47 immediately.
What Actually Changed
Chrome for iOS version 150.0.7871.47 patches a use-after-free bug. That class of memory-safety error happens when a program continues to use a block of dynamic memory after the operating system has already released it. In the hands of a skilled attacker, a use-after-free can corrupt valid data, crash the application, or—worst of all—execute arbitrary code on the device.
According to Google’s advisory, exploiting CVE-2026-14099 requires “specific user-interface gestures” on a maliciously crafted web page. The company hasn’t described those gestures in detail—deliberately, to buy users time to patch before proof-of-concept code appears—but the description is consistent with a link click, a button tap, or a few seconds of scroll-and-tap interaction. Such attacks can unfold quickly, and the victim may never realize anything went wrong.
Google’s own security team discovered the bug internally and followed the customary 90-day disclosure timeline. As of this writing, there is no public evidence that CVE-2026-14099 has been exploited in the wild, but use-after-free vulnerabilities in browsers are prized by both criminal groups and commercial surveillance vendors, so the stakes are high. The patch also includes other security fixes that Google hasn’t itemised, a common practice to lower the chance that attackers will reverse-engineer the update binaries.
What It Means for You
If you regularly browse the web with Chrome on an iPhone or iPad, your device is at risk until you apply the update. An attacker who lures you to a booby-trapped website could potentially read sensitive information that Chrome handles—saved passwords, autofill data, cookies that keep you logged into banking and email accounts—or even pivot to other apps if they manage to escape the browser’s sandbox.
Enterprise users face a compounded danger. A compromised personal device that connects to corporate resources through a browser-based intranet or a single sign-on portal can become an initial foothold for attackers looking to move laterally inside an organisation. IT administrators who support bring-your-own-device (BYOD) policies should treat this update as priority-one and push communications to staff immediately.
Windows users might be tempted to dismiss this as an iOS-only story, but ecosystem overlap makes it relevant. Many Windows laptop and desktop owners also carry an iPhone. Chrome’s sync engine ties their browsing experience together: bookmarks, passwords, payment methods, and open tabs jump from the Windows version to the iOS version and back. If an attacker compromises the iPhone Chrome client, they could harvest the synced data that also serves the Windows side—effectively reading the same browser profile you use on your PC. While the code flaw itself doesn’t exist in Chrome for Windows, the data it exposes can span both operating systems.
Finally, the incident is a live reminder that mobile browsers are fully fledged attack surfaces. Users often focus on desktop security patches and let mobile updates slide, but a smartphone holds just as much—and often more—personally identifiable information than a laptop does.
How We Got Here
Chrome for iOS has a unique architecture. Unlike the desktop and Android editions, which rely on Google’s own Blink rendering engine, the iOS version must—by Apple’s App Store rules—use the system’s built-in WebKit engine. That doesn’t make it immune to vulnerabilities; Google still layers its own networking, storage, and UI components on top, and bugs can appear in any of those layers.
Use-after-free flaws have plagued browsers for two decades. The Chromium project, which underpins Chrome, employs defenses like heap isolation and memory-tagging in newer operating systems, but no defense is perfect. When researchers inside Google’s Project Zero or the broader security community find a hole, the incident follows the same rhythm: private report, a patch built, deploy the fix to the stable channel, then publish a public advisory. That is exactly what happened here.
June 30, 2026, marks the date Google pushed the stable release to the App Store and simultaneously published the CVE entry. Apple’s review process meant that the update might not have appeared on every device instantly, but within hours the button should be visible worldwide. Google hasn’t said whether the bug was reported by an internal team or an outside researcher, only that the company’s own staff identified it.
What to Do Now
1. Update Chrome on your iPhone or iPad
Open the App Store, tap your profile picture in the top-right corner, and swipe down to refresh the pending updates list. Find Chrome, tap “Update,” and wait for the download to finish. If you see a “Recently Updated” section instead, your device has already applied the patch.
To be certain, launch Chrome, tap the three-dot menu, go to Settings, scroll down and tap Google Chrome. The version number is listed there. You need 150.0.7871.47 or higher.
2. Enable automatic updates (if you haven’t already)
Go to Settings > App Store and toggle on “App Updates.” Chrome updates will then install overnight whenever your device is charging and connected to Wi‑Fi, reducing the window of exposure.
3. Watch for Safari updates, too
Because Chrome on iOS uses WebKit, a vulnerability in the engine could affect Safari as well. Keep an eye on Apple’s security updates page; if WebKit receives a related patch, install it right away. As of now, Apple hasn’t linked a specific Safari release to CVE-2026-14099, but the browser security community often sees overlapping issues.
4. For Windows users synchronizing with Chrome
Although the code flaw does not exist in Chrome for Windows, a compromised iOS device can leak synced credentials. There’s no need to panic, but a few hygiene steps make sense:
- From your Windows machine, visit chrome.google.com/sync and review the devices linked to your account. Revoke any you don’t recognize.
- Change the password of your Google account if you have any doubt, and turn on two-factor authentication.
- Run Chrome on Windows and click Help > About Google Chrome to ensure you’re running the latest desktop version. (The current stable build at the time of writing is 150.0.7871.100, which includes unrelated fixes.)
5. IT administrators
Push a notification to all managed iOS devices instructing users to update Chrome. If your mobile device management (MDM) solution supports app update policies, enforce the latest version as a mandatory requirement. Audit your Azure Active Directory or identity provider logs for unusual activity around the disclosure date.
Looking Ahead
Google will release more technical details about CVE-2026-14099 once the update reaches broad adoption—typically a few weeks after the patch ships. Security researchers will then dissect the flaw, and you can expect proof-of-concept code to circulate. By then, however, anybody who has updated will be protected.
The episode underlines a stubborn truth: mobile browsers demand the same vigilance as desktops. Every iPhone owner should treat an “Update” badge on the App Store with the same urgency as a Windows Update notification. For now, the fix is one tap away. Take it.