Google Chrome for iOS: Batch of 25 Vulnerabilities Disclosed, Ranging from UI Spoofing to Sandbox Escapes
Google Chrome for iOS: 25 vulnerabilities disclosed, ranging from UI spoofing to sandbox escapes, all fixed in version 150.0.7871.47.

Key findings
- 25 vulnerabilities disclosed for Chrome for iOS on July 1, 2026, all fixed in version 150.0.7871.47.
- Flaws include use-after-free, insufficient validation, and inappropriate implementation across multiple browser components.
- Vulnerabilities range in severity from Low to High, with High-severity flaws including sandbox escapes and arbitrary code execution.
- Exploitation often relies on remote attackers presenting crafted HTML pages or specific UI gestures.
- Key affected components include Blink and various platform-specific features.
On July 1, 2026, a significant batch of 25 vulnerabilities was disclosed for Google Chrome on iOS, all addressed in version 150.0.7871.47. These vulnerabilities span various components of the browser, with a notable cluster related to insufficient validation of untrusted input and inappropriate implementations, posing risks such as UI spoofing, navigation bypass, and potential sandbox escapes.
Several vulnerabilities fall under the category of "Insufficient validation of untrusted input." These include CVE-2026-13917, CVE-2026-14136, CVE-2026-13991, CVE-2026-13812, CVE-2026-14066, and CVE-2026-13850. These flaws, often requiring a user to engage in specific UI gestures or involving a compromised renderer process, could lead to UI spoofing, navigation restriction bypass, UXSS (cross-site scripting), sandbox escapes, or arbitrary code execution within a sandbox.
Another prominent theme is "Inappropriate implementation," affecting CVE-2026-14128, CVE-2026-13981, CVE-2026-13902, CVE-2026-13980, CVE-2026-13892, CVE-2026-13916, and CVE-2026-13842. These vulnerabilities can result in UI spoofing, spoofing of the Omnibox (URL bar) contents, or leakage of cross-origin data, typically through crafted HTML pages.
"Use after free" vulnerabilities, specifically CVE-2026-14099, CVE-2026-13915, and CVE-2026-13918, were also disclosed. These issues, often triggered by specific UI gestures, can lead to heap corruption, potentially allowing remote attackers to exploit the vulnerability via a crafted HTML page.
Furthermore, "Insufficient policy enforcement" vulnerabilities, including CVE-2026-13813, CVE-2026-13795, and CVE-2026-14075, were identified. These could allow remote attackers to perform sandbox escapes or bypass navigation restrictions and no-referrer policies. Other vulnerabilities include "Insufficient data validation" (CVE-2026-13808), which could lead to sensitive information disclosure with physical access, and "Incorrect security UI" (CVE-2026-14123, CVE-2026-14028), enabling UI spoofing.
The disclosed vulnerabilities range in severity from Low to High. High-severity flaws include potential sandbox escapes (CVE-2026-13813, CVE-2026-13843), navigation bypasses (CVE-2026-13795), Omnibox spoofing (CVE-2026-13842), and arbitrary code execution (CVE-2026-13850). All 25 vulnerabilities were fixed in Google Chrome on iOS version 150.0.7871.47. Users are strongly advised to update to this version to mitigate the risks associated with these security flaws.
This batch of 25 vulnerabilities underscores the importance of timely updates for mobile browsing applications. While many of these issues require user interaction or specific conditions to be exploited, the potential impact, including UI spoofing and sandbox escapes, highlights the need for vigilance. Users should ensure their Chrome for iOS is updated to the latest version, 150.0.7871.47, which addresses all disclosed vulnerabilities.
The vulnerabilities were disclosed on July 1, 2026, and were all patched in version 150.0.7871.47. The flaws include use-after-free, type confusion, and inappropriate implementation across multiple browser components. Exploitation often relies on remote attackers presenting crafted HTML pages or malicious extensions. Key affected components include Blink, and various platform-specific features. Vypr Intelligence