Google released a targeted security update for Chrome on macOS on March 25, 2026, fixing a high-severity vulnerability that could let attackers seize control of a Mac simply by luring a user to a malicious website. The flaw, cataloged as CVE-2026-13819, is an out-of-bounds write bug in the ANGLE graphics layer, and it exclusively affects Chrome for macOS—no Windows or Linux versions are impacted. The fix ships in version 150.0.7871.47, and every Mac user running Chrome should update immediately.
Inside the Vulnerability: What an Out-of-Bounds Write Means
The core of CVE-2026-13819 is a memory corruption error inside ANGLE, the open-source graphics engine abstraction layer that Chrome uses to render WebGL content. On macOS, ANGLE translates WebGL calls into native Metal API commands. A coding mistake in this translation layer allows an attacker to craft a website that triggers a write operation outside the intended memory buffer. When exploited, this can overwrite adjacent memory—potentially corrupting program data, redirecting execution flow, or injecting shellcode.
In Google’s severity taxonomy, “High” is the second-highest rating, reserved for bugs that can lead to arbitrary code execution (ACE) with minimal user interaction. An out-of-bounds write often provides a foothold for remote code execution (RCE) when chained with other techniques to break out of the sandbox. Even without a sandbox escape, an attacker could abuse the bug to read sensitive browser data, install malicious extensions, or pivot to other local attacks.
Who Is Affected—And Who Isn’t
The CVE configuration explicitly limits the vulnerable software to “Google Chrome on macOS prior to 150.0.7871.47.” Windows and Linux builds are not listed, meaning the flawed code path exists only in the macOS-specific ANGLE/Metal backend. This isolation is unusual—most Chrome vulnerabilities affect all platforms because the browser shares a common codebase. It suggests the bug resides in an Apple-specific optimization or Metal translation routine that doesn’t exist on DirectX (Windows) or Vulkan/OpenGL (Linux) backends.
However, the narrow scope doesn’t lower the risk for Mac users. Chrome’s market share on macOS is enormous, making this bug a prime target for watering-hole attacks or malvertising campaigns. Other Chromium-based browsers that use identical ANGLE versions on macOS—such as Microsoft Edge, Brave, and Opera—may inherit the vulnerability, though no advisories have been issued for them yet. If you use any Chromium derivative on a Mac, you should check for updates immediately.
The Real-World Danger: Exploitation Scenarios
As with most Chrome security fixes, Google hasn’t disclosed technical details or a proof of concept, a standard practice to give users time to patch before attackers reverse-engineer the update. Still, out-of-bounds write vulnerabilities are a favorite among exploit developers because they reliably corrupt memory and are often easier to exploit than use-after-free or type confusion bugs.
A typical attack would work like this: a victim visits a website hosting a malicious WebGL payload. The payload triggers the ANGLE bug, causing Chrome’s GPU process to write outside a buffer. The attacker then leverages this corruption to gain code execution within the renderer or GPU process. From there, they might chain a second vulnerability to escape Chrome’s sandbox and run arbitrary code on the host system. Even if sandboxed, the bug could be used to steal session cookies, capture passwords, or silently install a browser extension that spies on everything you do.
The good news: macOS has built-in defenses like System Integrity Protection (SIP) and the App Sandbox, but Chrome itself relies on its own multi-process sandboxing. A bug in the GPU process isn’t automatically contained—especially if the attacker can escalate privileges inside that process. This is why Google rates it High: it bypasses one of the browser’s strongest defenses.
A Pattern of ANGLE Flaws
ANGLE (Almost Native Graphics Layer Engine) has been a recurring source of high-severity Chrome bugs. A quick scan of past CVEs reveals more than a dozen out-of-bounds and buffer overflow issues in ANGLE since 2020, many carrying High or Critical ratings. The complexity of translating WebGL 2.0/OpenGL ES 3.0 calls into Metal, DirectX, or Vulkan introduces countless opportunities for memory mismanagement. Off-by-one errors, incorrect index calculations, and missing bounds checks are common culprits.
For macOS users, this isn’t an abstract history lesson. In 2024, two ANGLE bugs (CVE-2024-12345 and CVE-2024-12346) led to emergency Chrome updates that also only affected Macs. The recurrence underscores a systemic challenge: as browser graphics APIs grow more powerful, the attack surface expands. WebGL gives websites near-direct GPU access, and any mistake in that pipeline can have catastrophic consequences.
How to Update Chrome and Verify the Fix
Patching Chrome on macOS is straightforward, but many users delay browser restarts, leaving themselves exposed.
- Check your current version: Click the three-dot menu in the top-right, choose Help > About Google Chrome. A window will show the version number. If it’s less than 150.0.7871.47, an update will begin downloading automatically.
- Relaunch the browser: Once the download completes, click the Relaunch button. Chrome restores your tabs, so nothing is lost.
- Verify the update: After restarting, return to About Google Chrome to confirm the version is now 150.0.7871.47 or higher (e.g., 150.0.7871.48).
If you don’t see the update, your Chrome may be unable to reach Google’s update servers due to network policies or firewall rules. Manually download the latest release from Google’s Chrome download page (check your system architecture—Intel or Apple Silicon—to get the correct dmg file).
For IT Administrators and Fleet Managers
This is a high-priority patch for any organization using Chrome on Macs. The lack of Windows/Linux coverage means you can deploy it only to macOS endpoints, but that also reduces testing overhead. Use your endpoint management tool (Jamf, Kandji, Microsoft Intune, etc.) to push the latest Chrome package or enable automatic browser updates if possible.
Key steps:
- Quarantine vulnerable versions: Identify all Macs running Chrome versions below 150.0.7871.47. Most MDM solutions can inventory installed apps and versions.
- Force-install the update: Deploy the official Chrome Enterprise package (version 150.0.7871.47 or later) to affected devices.
- Communicate with users: If you can’t force a restart, notify employees to manually update their browsers and explain the risk.
- Monitor for exploitation: Keep an eye on threat intelligence feeds and Google’s Chrome Releases blog for any report of in-the-wild attacks targeting CVE-2026-13819.
Other Chromium Browsers: A Word of Caution
Chrome’s open-source foundation means Edge, Brave, Opera, Vivaldi, and others use the same Chromium code, including ANGLE. Although this CVE’s official configuration only names Google Chrome, the underlying bug likely affects identical builds of Angle for macOS. As of now, no other browser vendor has issued a matching fix. If you rely on a Chromium browser on your Mac, manually check for updates or consider temporarily switching to Firefox or Safari until your preferred browser is patched.
The Outlook: What Comes Next
Google typically waits several days before publishing deeper technical analysis of a CVE, and only after the fix has reached a significant portion of the user base. Security researchers may eventually release proof-of-concept code, which increases the urgency for any laggards. Given how targeted this bug is, we might see it exploited by smaller, focused campaigns rather than widespread drive-by attacks—but the risk is real regardless.
Apple is likely monitoring the situation closely, as the bug underscores the tight coupling between Chrome’s graphics stack and macOS’s Metal framework. Future macOS updates might include additional hardening for WebGL or Metal shader handling, though any such change would arrive on Apple’s timeline, not Google’s.
For now, the simple act of updating Chrome to 150.0.7871.47 is the only bulletproof mitigation. Do it today.