Google has pushed out Chrome version 150.0.7871.47 to the stable channel for Windows, and this isn’t a routine refresh. The update patches a high-severity flaw — CVE-2026-13926 — that lets attackers bypass the browser’s navigation safeguards, essentially stripping away the protections most users trust to keep them from landing on spoofed or weaponized pages. If you’re running Chrome on a Windows machine, you’ll want to install this fix immediately.

The Flaw: Navigation Bypass Strips Away a Core Defense

At its core, CVE-2026-13926 is a navigation bypass vulnerability. Google’s own description, which remains terse as is standard for freshly disclosed security bugs, confirms the issue allows a remote attacker to circumvent Chrome’s navigation restrictions. In plain language, that means a malicious actor could craft a site or an ad that forces your browser to ignore the usual rules about what constitutes a trustworthy page. The address bar might display a legitimate URL while the content you see is actually coming from a different, attacker-controlled source. Or a phishing page could be injected into a normally safe browsing session without triggering any warning.

Google hasn’t yet published the full technical write‑up — a deliberate delay to give users time to patch — but even this limited disclosure is enough to signal the risk. Navigation bypass flaws have historically been used to facilitate:

  • Phishing attacks that harvest login credentials
  • Malware droppers that disguise payload downloads as software updates
  • Session hijacking where a user’s active login cookies are stolen

The Common Vulnerability Scoring System (CVSS) rating for CVE-2026-13926 hasn’t been publicly assigned yet, but Google’s internal severity assessment marks it as “High,” meaning the potential for serious damage is real.

Who Is Affected?

Any Windows user running a Chrome version prior to 150.0.7871.47 is vulnerable. The flaw isn’t limited to specific hardware or configurations — it’s in the browser’s core code. Chrome versions on macOS and Linux are also affected, though the initial advisory emphasized the Windows impact. If you’ve disabled automatic updates or have Chrome running in an enterprise environment with controlled deployment, you’re at heightened risk.

Mobile users on Android or iOS aren’t covered by this specific CVE because the underlying navigation mechanisms differ, but they should still keep their apps updated via the Play Store or App Store as a best practice.

The Patch: What 150.0.7871.47 Delivers Beyond Security

Chrome 150.0.7871.47 isn’t a standalone security hotfix — it’s a full stable channel update. In addition to plugging the navigation bypass hole, the release includes a handful of backend performance tweaks and compatibility improvements that roll up from the Chromium project. The most immediate change for users is the version bump itself, which you can verify once the browser restarts.

Google’s standard procedure is to release security patches on a two‑week cycle, but critical bugs can accelerate that timeline. While the company hasn’t confirmed whether CVE-2026-13926 forced an out‑of‑band release, the urgency of the messaging suggests it was deemed too dangerous to wait for the next scheduled update.

How to Update Google Chrome on Windows

Chrome normally handles updates in the background and applies them when you close and reopen the browser. But if you’ve been running the same session for a while, the update may be pending. Here’s how to force it:

  1. Open Chrome and click the three‑dot menu icon in the top‑right corner.
  2. Go to Help > About Google Chrome.
  3. Chrome will immediately check for updates. If 150.0.7871.47 is available, the download will start automatically.
  4. Once the download completes, click Relaunch. Chrome will restore your open tabs after restarting.

After relaunching, return to the About page to confirm the version number reads 150.0.7871.47 (or later). If it says “Google Chrome is up to date” but shows an earlier version, your system may be managed by an IT administrator — skip to the section for admins below.

For Power Users: Verify the Update Silently

If you prefer a command‑line check, open a Run dialog (Win+R) and enter:

chrome://settings/help

That directly opens the About page. To confirm the update has been applied, you can also navigate to chrome://version/ and inspect the “Google Chrome” line.

For IT Administrators: Deploying the Fix at Scale

In managed environments, letting every user manually update is a recipe for drift. Chrome offers several deployment tools:

  • Group Policy: Use the Chrome for Enterprise MSI installer and configure auto‑update policies via ADMX templates. Set the Update policy override to “Always allow updates” and specify a target version prefix if you need to stay on specific builds.
  • SCCM / Intune: Import the latest MSI package into your software center and schedule a mandatory upgrade. Because this is a security patch, consider pushing it with a deadline measured in hours, not days.
  • Chrome Browser Cloud Management: If you’re enrolled in Google’s cloud console, you can force a version pin or trigger a guided update from the admin dashboard.

A key step for any admin: audit your fleet to identify machines still running pre‑150 builds. A quick PowerShell script can query the registry for installed Chrome versions:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*Chrome*" } | Select-Object DisplayName, DisplayVersion

If you see versions below 150.0.7871.47, those machines need immediate attention.

Why Navigation Bypass Flaws Are So Dangerous

It’s worth understanding what’s at stake beyond the technical jargon. Your browser’s navigation system is what tells you where you really are on the web. It’s the mechanism that underpins the padlock icon, the “https” indicator, and the warning pages that pop up when a certificate doesn’t match. A navigation bypass can undo all of that in a single click. Imagine checking your bank balance on a page that looks identical to your bank’s real site, but which silently sends your login data to a server in another country. That’s the kind of scenario CVE-2026-13926 could enable.

Google’s security team is notoriously good at finding these flaws through internal fuzzing and external bug bounty programs, but every major browser faces them. In 2025 alone, Chrome patched over 300 security vulnerabilities, a dozen of which were navigation or UI‑spoofing bugs. The difference with CVE‑2026‑13926, according to the initial advisory, is its generic exploitability — it doesn’t require the user to be logged into a specific service or to have particular extensions installed.

The Bigger Picture: Chrome Security in 2026

Chrome 150 marks a milestone release for Google, coming roughly four years after the browser hit version 100. The rapid version‑number climb reflects an accelerated release cadence and a commitment to continuous patching. For users, that means security fixes arrive faster, but it also means you can’t afford to ignore updates. Bad actors track the public CVE listings and within days (sometimes hours) of a patch release, proof‑of‑concept exploits start circulating.

This update also underscores a point Microsoft has been pressing with its Edge browser: staying on a Chromium‑based browser means inheriting both the good and the bad from the open‑source project. Edge users will receive the same fix once Microsoft integrates the Chromium patches, typically within a day or two. If you use Edge on Windows, your update will come via Windows Update or a browser restart — but for now, the official patch is Chrome‑specific.

What to Do Right Now

  1. Update immediately — Follow the step‑by‑step instructions above. Even if you think Chrome auto‑updated, verify the version.
  2. Restart your browser — The update won’t take effect until you relaunch. Chrome’s restart option preserves your tabs.
  3. Turn on Enhanced Safe Browsing — In Chrome Settings > Privacy and Security, enable “Enhanced protection” for proactive warnings about dangerous sites. This can serve as a second line of defense.
  4. Check other Chromium browsers — If you use Brave, Vivaldi, Opera, or Edge, they’ll release corresponding patches soon. Check their update mechanisms manually.
  5. Report suspicious behavior — If you think you’ve encountered a page exploiting this flaw before patching, use Chrome’s built‑in “Report a problem” feature (Settings > About Chrome > Report an issue).

Outlook: What Comes Next

Google will eventually publish a more detailed CVE record, possibly with a technical analysis that shows exactly how the bypass worked. For now, the company is sticking to its practice of minimal public detail to protect users. Expect the final CVSS score to land in the 7.0–8.5 range, placing it among the more impactful Chrome flaws of the year.

Windows users who keep their browsers updated will be protected, but the window between disclosure and widespread patching is always the riskiest period. If you’re reading this and haven’t checked your Chrome version yet, open the About page now. It’s the quickest security action you’ll take all week.