Google released a security update for Chrome on Android on June 30, 2026, patching a use-after-free vulnerability that could allow attackers to execute arbitrary code just by tricking a victim into visiting a malicious website. The flaw, designated CVE-2026-14064, resides in the browser’s PageInfo component and affects all versions prior to 150.0.7871.47. Although Google rates it as low severity, the potential impact is high—a successful exploit could install malware, steal credentials, or pivot to other apps.
Update Details
The fix arrives in a single-cve point release: Chrome for Android stable version 150.0.7871.47. Google’s advisory notes that the bug is a use-after-free in PageInfo, the dialog that displays a site’s security certificate, permissions, and connection details. Use-after-free vulnerabilities occur when a program frees a memory location but continues to reference it. Attackers can carefully craft web content that forces the browser to reuse that memory in a controlled way, leading to arbitrary code execution within the browser process.
Version numbers to know:
- Vulnerable: any Chrome for Android build earlier than 150.0.7871.47
- Fixed: 150.0.7871.47 and later
Because this is a targeted security release, no other features or notable changes are included. The update is rolling out on Google Play, and users should expect to see it within hours or a day depending on Google’s staged rollout schedule.
Impact on Users
If you rely on Chrome on an Android phone or tablet, this bug represents a real and present danger. Here’s why: the PageInfo sheet is something users summon frequently—to inspect an HTTPS lock, manage location permissions, or clear site data. A attacker-controlled page could embed JavaScript that triggers the use-after-free as soon as you tap the lock icon or interact with the permissions prompt. From there, remote code execution could lead to a full browser compromise, including session hijacking, keylogging, and exfiltration of saved passwords and cookies.
Windows users are not directly vulnerable on their PC from this CVE. However, the cross-device syncing in the Google ecosystem means that a compromised Android browser could leak credentials that unlock your Windows-bound Google account, potentially exposing your entire Chrome sync data, including passwords, bookmarks, and payment information. In corporate environments using Google Workspace or other identity providers, a stolen token could be the first step in a broader attack against cloud resources accessible from Windows machines.
Concrete User Scenarios:
Home users:
- You click a seemingly innocent link in a text message or email.
- The page silently exploits the PageInfo bug when you inadvertently tap a security icon or permission prompt.
- Malicious code installs a hidden extension or siphons out locally stored data.
Enterprise users:
- An employee’s personal Android device, which is enrolled in a BYOD program, gets exploited.
- The attacker captures the session tokens for corporate SaaS tools, bypassing multi-factor authentication.
- The attacker may use those tokens from any Windows laptop to move laterally into the corporate network.
The silver lining: Google states the severity as “Low,” which typically reflects the difficulty of crafting a reliable exploit and the inherent sandbox protections. But once exploited, the impact can be substantial, so do not dismiss this as trivial.
Background and Context
Use-after-free bugs are a perennial headache for browser makers. Chrome’s codebase, much of it written in C++ for performance, leaves memory-management responsibility to developers. Despite rigorous testing and automated fuzzing, such flaws slip through. The PageInfo component has been a target before: in 2023, CVE-2023-4909 allowed a similar attack via a use-after-free in site permissions. The UI-heavy logic that mixes permission states and security indicators makes it an attractive target for memory corruption hunters.
Google’s Chrome Security Team and its Vulnerability Reward Program continuously invite external researchers to find and report these issues. The credited discoverer for CVE-2026-14064 was not immediately disclosed, which is common when researchers request anonymity or when coordinated disclosure with other products is still in progress.
The timeline of this vulnerability:
- Described as a zero-day? No, it was internally discovered or reported through the bug bounty, then fixed before public disclosure.
- June 30, 2026: Stable channel update published, with full details in the Google Chrome Android releases blog.
- As of publication, there are no known reports of active exploitation in the wild.
Action Plan
The most important step is to update Chrome on every Android device you own or manage. Here are the foolproof instructions:
- Open the Google Play Store on your Android device.
- Tap your profile icon in the top right, then “Manage apps & device.”
- Under “Updates available,” find Google Chrome. If an update is listed, tap “Update.”
- If no update appears, it may still be rolling out. You can force a refresh: go to the Chrome app page in Play Store, close the app page, clear the Play Store cache (Settings > Apps > Google Play Store > Storage > Clear Cache), then reopen and check again.
- After updating, open Chrome, type
chrome://versionin the address bar, and confirm the Application version begins with 150.0.7871.47. - Restart Chrome to ensure the new code is fully loaded.
Enabling automatic updates: In the Play Store, go to Chrome’s app page, tap the three-dot overflow menu, and ensure “Enable auto update” is checked. This ensures future patches install without delay.
For IT administrators:
- Use your Mobile Device Management (MDM) platform to check the installed version of Chrome on managed Android devices. Create a compliance rule that flags any version below 150.0.7871.47.
- If your MDM supports it, push a managed configuration to force Chrome to update from Play and restrict usage until the device is compliant.
- Send a company-wide advisory reminding employees to update their personal devices if they access work resources from Chrome on Android.
- Remember: this CVE does not affect Chrome on Windows, macOS, or Linux, but your overall security posture demands vigilance on all endpoints.
A brief but crucial note: no mitigation exists aside from updating. Disabling JavaScript might prevent exploitation but breaks most websites; keeping Google Play Protect on and avoiding suspicious links remain good practices but will not stop a targeted attack once a user lands on a malicious page.
If your Android device is too old to receive Chrome updates through the Play Store (typically devices stuck on an Android version no longer supported by Google), consider switching to a browser that still gets security patches, such as Firefox or Brave, or, as a last resort, replace the device.
Looking Ahead
CVE-2026-14064 underscores an uncomfortable reality: browsers remain complex software vulnerable to memory-safety bugs, and the Android ecosystem’s fragmentation sometimes slows down unified patching. Google is betting on Rust to gradually eliminate use-after-free vulnerabilities, but the migration is a multi-year effort.
We can expect further Android-specific Chrome patches as security researchers continue to probe the mobile browser’s attack surface. In the near term, keep a close watch on the Chrome Releases blog for any supplemental fixes that might appear as part of the ongoing 150.x series. And the next time you see a “critical” or “high” severity tag, respond just as promptly as you would to a low one—because in the real world, impact usually matters more than a label.