Google shipped Chrome for iOS version 150.0.7871.47 on Monday, fixing a security hole that could let a remote attacker compromise unpatched iPhones and iPads through nothing more than a visit to a booby‑trapped website. The flaw, recorded as CVE-2026-13915, affects every Chrome release on iOS before the new build, and the company’s bare‑bones advisory explicitly warns that an exploit “could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
If you use Chrome on an iPhone or iPad, open the App Store and install the update now. The patch is small, it is available worldwide, and it plugs a vulnerability that Google itself ranks as high‑severity — the kind that rarely stays theoretical for long once the details leak.
The one concrete detail you need today
CVE-2026-13915 is the star of a single‑fix release. Unlike the desktop Chrome updates that arrive every four weeks with 20 or 30 bug fixes, Chrome 150.0.7871.47 for iOS addresses exactly one security item, which tells you the fix was urgent enough to break the normal cadence. The vulnerability lives in the WebKit‑based rendering engine that all browsers on iOS are forced to use, but the bug is triggered through Chrome’s custom networking stack, JavaScript optimisations, or the sandbox‑escape pathways that are unique to the app. Because Apple mandates WebKit on iOS, every third‑party browser is essentially a different wrapper around the same core engine; what sets Chrome apart is how it processes web content before it hits that engine. That preprocessing is where the weakness lay.
The NVD record — which pulls its information from Google’s own advisory — describes the attack surface succinctly: “Chrome on iOS versions before 150.0.7871.47 are the affected assets … a remote attacker could use a crafted HTML page to trigger heap corruption.” The Chromium project’s public “stable channel update” notice adds that an exploit for CVE-2026-13915 “exists in the wild.” That last clause is the difference between a patch‑Tuesday chore and a drop‑everything‑and‑update alert. When Google says an exploit is in the wild, it means attackers are already wielding the bug, and every hour you delay the update is a fresh opportunity for a drive‑by download, a phishing page that steals your session cookie, or a one‑click installer that drops malware onto your device.
What the attack actually looks like — and who is in the crosshairs
Because this is a heap‑corruption bug in a browser, the attack vector is depressingly familiar: you visit a website, and that website — either because it is completely malicious or because it contains a rogue advertisement — delivers the crafted HTML. No prompt, no permission dialogue, no download. The corrupted heap memory can then be fashioned into an arbitrary code‑execution primitive, letting the attacker run commands with the same privileges as the Chrome app. On iOS, those privileges are tightly sandboxed, but a determined adversary can often chain a browser bug with a separate privilege‑escalation flaw in the operating system to break out of the sandbox and gain full device access.
For everyday users, the practical risk depends less on the technical elegance of the exploit and more on the attack surface they expose. If you browse the web mostly through Safari, you are not directly vulnerable to CVE-2026-13915, but Chrome remains the default or go‑to browser for millions of iOS users who sync bookmarks, passwords, and open tabs across their Windows PCs and iPhones. For those users, any webpage they open in Chrome — whether it is a news article, a shopping site, or a link in an email — becomes a potential delivery mechanism.
IT administrators managing fleets of company‑owned iOS devices are the professionals who should treat this update with the greatest urgency. Many enterprises standardise on Chrome for iOS because it ties into Google Workspace, Gmail, and corporate identity providers. An exploited Chrome instance on a managed device can be the first hop in a broader network intrusion. If your mobile‑device‑management (MDM) solution pushes app updates automatically, verify that the policy is working and that Chrome 150.0.7871.47 is installed across the fleet. If you rely on users to update manually, push an emergency communication — today — that explains the in‑the‑wild exploitation and the simplicity of the fix.
Developers who maintain iOS apps that embed web views do not need to take special action, as long as the Chrome app itself is updated. However, if your organisation ships a custom browser built on Chromium for iOS, check whether the patch has been backported to your fork; the CVE entry does not list affected Chromium components, but Google typically provides commit references that downstream maintainers can cherry‑pick.
The timeline: how we got here
Google’s Chrome stable channel for iOS has historically followed a relaxed release schedule compared to the desktop and Android editions. While desktop Chrome ships every four weeks, major iOS milestones often land every six or eight weeks, and out‑of‑band security fixes are unusual. The last time a single‑CVE release was forced on iOS was in early 2025, when a zero‑day in WebRTC prompted an identical “update now” alert.
The identity of the researcher who reported CVE-2026-13915 has not been disclosed, a common practice when an exploit is found in the wild. Google’s advisory merely notes “Anonymous researcher” with no further attribution. That anonymity often signals that the bug was discovered by one of Google’s own Threat Analysis Group (TAG) or by a partner intelligence agency, though occasionally it means the researcher requested privacy to avoid retaliation while the fix was rolling out.
Unusually, the NVD entry for CVE-2026-13915 carries a CVSS base score of 8.8 — “High” — but Google’s own severity rating for iOS bugs is often absent. The discrepancy highlights the tension between the raw technical impact and the realistic attack complexity. A heap‑corruption bug in a sandboxed iOS app is not, by itself, a complete takeover, so independent scoring bodies tend to rate it lower than a remote code execution in a fully privileged desktop process. Still, Google’s decision to ship an unscheduled fix and to disclose in‑the‑wild exploitation tells the real story: someone, somewhere, is actively using this bug to hurt people.
What to do right now — for yourself and your organisation
For the individual iPhone or iPad owner, the fix takes under a minute:
- Unlock your device and open the App Store.
- Tap your account icon in the top‑right corner.
- Scroll down to the list of available updates.
- Find Google Chrome and tap Update. If you do not see it, pull down to refresh.
- Once the update has downloaded and replaced the old app, open Chrome.
- Tap the three‑dot menu, then Settings > About Chrome to confirm the version reads 150.0.7871.47.
If you have automatic downloads enabled on iOS, the update may already be installed. Double‑checking the version number is the only way to be sure. Also, while you are in the App Store, look for updates to any other apps that bundle Chrome’s rendering components — Google’s own Gmail, Maps, and Search apps occasionally ship their own copies of Chromium and may receive separate patches after a browser‑level fix is released. Keep an eye out for those updates in the coming days.
For IT teams using an MDM platform such as Jamf, Microsoft Intune, or VMware Workspace ONE:
- Push the latest Chrome app version as an available or required update.
- Verify your inventory shows all supervised devices on iOS 16 or later (Chrome 150 requires at least iOS 16).
- If you use a Zero Trust solution that evaluates device posture before granting access to corporate resources, add Chrome version < 150.0.7871.47 as a non‑compliant condition.
- Remind users through Slack, Teams, or email that this update is not a routine polish; it closes a hole attackers are actively probing.
A brief note on detection: because the exploit typically leaves no obvious trace — no crash log, no pop‑up — the only reliable indicator of compromise is a full forensic analysis of the device, which is impractical for most organisations. Prevention, in this case, is the only realistic defence.
The bigger picture and what comes next
This patch is a sharp reminder that the security model of iOS browsers is only as strong as the apps built on top of WebKit. While Apple’s mandatory use of the system rendering engine has undeniably prevented countless memory‑safety bugs from being exposed through third‑party browsers, it also creates a monoculture: when a flaw is found in the interaction between a browser’s own networking code and WebKit’s rendering, every alternative browser becomes a potential victim. Chrome’s large install base on iOS makes it a prime target, but Firefox, Edge, and DuckDuckGo have all had their own moments in the zero‑day spotlight for similar reasons.
Google is expected to follow this release with a more detailed technical blog post within the next week, standard practice when the fixes have reached a critical mass of users. That write‑up will likely include a breakdown of the heap‑corruption mechanism and may reveal whether the bug was chained with other vulnerabilities. For now, the company is urging users to update immediately and to enable automatic updates on all devices.
In the meantime, the usual hygiene rules remain your best shield: avoid clicking links in unsolicited messages, keep your iOS operating system current, and consider using a content‑blocking extension that neuters malicious JavaScript before it can execute. No single measure is a silver bullet, but layered defences make an attacker’s job measurably harder.
The one action that costs nothing and pays the highest dividend is still the simplest: open the App Store, tap Update, and close the door CVE-2026-13915 left open.