Google rolled out an urgent security update for Chrome on iOS on June 30, 2026, closing a high-severity use-after-free vulnerability tracked as CVE-2026-13807. The flaw, present in all versions of the browser before 150.0.7871.47, could allow a remote attacker to execute arbitrary code on a targeted iPhone or iPad. If you use Chrome on your iOS device, stopping what you’re doing to install the patch is the only sure way to protect your data and privacy.
The Core Issue: A Use-After-Free That Opens the Door to Attackers
The vulnerability sits deep in Chrome’s memory management. In a use-after-free flaw, the browser incorrectly references a chunk of memory that has already been freed. Attackers who understand the timing can manipulate that lingering pointer to inject and run their own malicious instructions. On iOS, this means a rigged website—or a legitimate site serving a compromised ad—can, with no user interaction beyond a simple visit, gain a foothold inside Chrome’s process.
Google’s advisory reveals few technical specifics, a deliberate choice to block quick exploitation before most users have updated. What we do know is that CVE-2026-13807 was classified as high severity, the company’s second-highest danger rating, reserved for bugs that let attackers read or write to memory, bypass security sandboxes, or run code remotely. On the CVSS v3 scale, such a flaw likely scores between 7.0 and 8.8, indicating a critical need for patching.
The fix in Chrome 150.0.7871.47 for iOS eliminates the dangling pointer entirely, rewriting the code responsible for the unsafe memory access. There’s no workaround, no configuration toggle to flip; the update is the only remedy.
What This Means for iOS Users, Admins, and Developers
For the everyday iPhone and iPad owner
If you use Chrome as your primary browser on iOS, this vulnerability affects you directly. The attack is a classic drive-by: a malicious web page loads, the browser’s memory gets corrupted, and an attacker’s code runs inside Chrome’s sandbox. From there, the scope of damage depends on what else can be leveraged. Attackers often chain such bugs with other exploits to break out of the sandbox and reach deeper parts of the operating system, though no such companion vulnerability is mentioned here. Still, the immediate risk—theft of session cookies, capture of form inputs, installation of a persistent redirection script—is serious enough to demand immediate action.
Chrome’s auto-update mechanism on iOS, unlike on desktop, is limited by the App Store’s update model. Unless you’ve manually enabled automatic app updates and have a consistent Wi‑Fi connection, you may still be running an exposed version. Check now by going to Settings > General > iPhone Storage > Chrome to see your current version, or navigate to chrome://version in the browser’s address bar. The safe version is 150.0.7871.47 or higher.
For IT administrators managing fleets of company iPhones
The risk scales quickly in enterprise settings. A single unpatched device that connects to corporate resources through Chrome could become a springboard for broader network compromise—stolen credentials, lateral movement, or data exfiltration. Enforcing the update through your Mobile Device Management (MDM) solution should be a top priority. Push the Google Chrome app update to all supervised devices, and set a compliance policy that blocks access to internal apps until the patch is installed. Many MDM platforms can report on installed apps and their versions; use that data to track progress.
For developers and power users
Chrome on iOS is built atop Apple’s WebKit engine, but it still layers in its own code for things like syncing, media playback, and the JavaScript optimization pipeline. A use-after-free in those areas won’t be caught by iOS’s built-in protections. Developers who test their web apps on iOS Chrome should update immediately to avoid working under a false sense of security. Power users who jailbreak their devices or run early developer betas are at heightened risk because they often operate outside Apple’s standard security envelope.
The Context: Chrome’s Unending Game of Cat and Mouse
Google’s security team has publicly acknowledged that use-after-free bugs are among the most common high-severity vulnerabilities in Chrome. The browser’s architecture, heavily reliant on C++ for performance, makes memory safety errors almost inevitable. Over the past two years, the Chromium project has invested in mitigating technologies like MiraclePtr and the V8 sandbox, but iOS’s unique requirements—specifically, Apple’s prohibition of just-in-time (JIT) compilation outside its own WebKit framework—complicate the application of some desktop-grade defenses. Chrome for iOS simply doesn’t have the same layered sandboxes that its desktop and Android counterparts enjoy, yet it faces the same adversaries.
CVE-2026-13807 was reported to Google through its Vulnerability Reward Program, according to the sparse disclosure. The company credited an anonymous researcher, paying a bounty that likely topped five figures for a high-impact memory corruption bug. That quick turnaround—from private report to public patch—underscores the severity and the threat model: attacks that can be launched silently from a web page are often exploited in the wild within days of a public advisory.
Google has made it standard practice to release seven separate Chrome builds (Windows, Mac, Linux, Android, iOS, plus Chromium-based Edge and other derivatives) in lockstep when a cross-platform vulnerability is found. Here, the advisory was limited to iOS, suggesting the root cause lies in iOS‑specific code paths—perhaps in the media pipeline, custom URL handling, or the browser’s integration with the operating system’s graphics surfaces. For iOS users, that isolation means the patch is lightweight and unlikely to introduce new bugs, but it also removes any safety net that a shared fix across platforms might provide.
Immediate Steps to Secure Your Device
- Update Chrome on iOS. Open the App Store, tap your profile icon, scroll to Chrome, and tap Update. If you don’t see it, pull down to refresh. This installs version 150.0.7871.47.
- Verify the version. After updating, tap the three-dot menu > Help > About Google Chrome. Confirm you’re on the correct build.
- Enable automatic updates. Go to Settings > App Store and turn on App Updates under Automatic Downloads. While you’re there, ensure Security Response & System Files is also enabled so that future emergency patches arrive without delay.
- Clear your browsing data (optional). If you suspect you may have visited a suspicious site before the update, go to Chrome Settings > Privacy > Clear Browsing Data. Choose “All time” and select cookies, site data, and cached images. This removes any residual injected scripts.
- Deploy in enterprise. Use your MDM to push the forced app update. For devices that can’t be updated immediately, consider temporarily blocking Chrome via a web content filter until the patch lands. An alternative is to direct users to Safari for the interim, as the vulnerability is specific to Chrome.
- Watch for follow‑up CVEs. Often, detailed research emerges within weeks that illustrates how the flaw could have been exploited. Subscribe to Google’s Chrome Releases blog or enable automatic updates to stay ahead.
Outlook: What to Watch Next
The uneasy reality for iOS Chrome users is that memory safety bugs aren’t disappearing. Despite Apple’s hardened system architecture, third-party apps like Chrome can still carry their own exploitable code—and Google’s patch velocity remains the best countermeasure. Expect Google to accelerate its migration to safer languages like Rust in Chromium, though iOS-specific components may lag due to technical constraints. For now, treat every high-severity CVE as a ticking clock and update without delay. With CVE-2026-13807 addressed, the next batch of vulnerabilities is already being scrutinized by researchers—and likely by attackers.