Google has shipped Chrome 150.0.7871.47 for Android, closing a WebXR vulnerability that could let a remote attacker bypass navigation restrictions. The flaw, tracked as CVE-2026-14034, was disclosed on June 30, 2026, and carries a low severity rating. Any Chrome for Android installation below the new build is affected.

What actually changed

The update patches a specific bug in the way Chrome handled navigation requests during active WebXR sessions. WebXR is the API that powers browser-based virtual and augmented reality experiences. Normally, Chrome imposes strict rules: while a user is inside an immersive XR session, the browser should not allow the page to silently redirect the user or spoof the location bar. According to the Chromium bug tracker, a crafted HTML page could exploit insufficient validation in this path to bypass those restrictions. Google has not released full technical details, which is standard while users update.

The fix is delivered via a routine stable channel refresh. The only change documented in the release notes is the security patch for CVE-2026-14034. No other CVEs are mentioned, suggesting a targeted fix. The version bump to 150.0.7871.47 increments the build number by a few digits from the prior 150.0.7871.33, indicating a minor, surgical update.

What it means for you

For the everyday Chrome user on Android, the immediate risk is low. The flaw requires a remote attacker to lure you to a malicious website that opens a WebXR session. Simply visiting a page is not enough; the attacker would need to trigger an immersive experience and then exploit the bypass to mislead you about which site you are on. Because Chrome on Android will have already prompted you for XR permissions, the attack surface is constrained. No evidence of active exploitation has surfaced, and Google’s own severity rating lowers the urgency compared to high or critical bugs.

That said, any navigation bypass can be abused in phishing campaigns. A well-crafted attack might temporarily hide the real URL while the user is in an XR session, then redirect to a fake login page. Home users should treat the update as important but not panic. Enterprise administrators with managed Android fleets have a different calculus. Even low-severity flaws can be chained with other vulnerabilities or social engineering. The more devices your organization manages, the larger the exposure. IT teams should verify that Chrome is auto-updating via Google Play policies, or push the new build via mobile device management (MDM).

Developers working with WebXR on Android should audit their own sites to ensure they are not inadvertently relying on the faulty behavior. No code changes are required, but testing against the new Chrome build is wise. Google has not introduced any breaking API changes; the fix is entirely internal to the rendering engine.

How we got here

WebXR has been a part of Chrome since 2019, gradually maturing with each release. Because immersive APIs blur the line between web content and the device’s sensor and display stack, they have been a recurring source of security boundary issues. Over the past two years, Chromium has patched several navigation-related bugs on desktop and Android, including CVE-2022-1234 (an XR frame navigation bypass) and CVE-2024-3315 (a fullscreen navigation spoof). This latest finding continues that pattern.

The bug was reported through Chrome’s vulnerability reward program, though the researcher’s name has not been made public. Google typically withholds credit until a significant portion of users have applied the patch. The rapid turnaround—the bug was likely reported shortly before the June 30 disclosure—shows that even low-severity issues can be shipped with minimal delay in the Chrome release cycle.

Chrome 150 itself reached the stable channel on June 24, 2026, with a batch of security fixes. This .7871.47 build is a point release, pushed out-of-band for this single CVE. For Android users, Google Play’s staged rollouts mean that the update does not hit every device simultaneously. It can take a few days for the new version to appear in the Play Store, although manually checking often triggers the download.

What to do now

Check your Chrome version on Android. The path differs slightly by device, but generally: open Chrome, tap the three-dot menu, select “Settings,” then “About Chrome.” The app will display the installed version and trigger an update if one is available. If the number reads 150.0.7871.47 or higher, you are protected. If it shows an older build, wait a moment for the update check to complete; if nothing appears, you can visit the Play Store listing for Chrome and hit “Update.”

For enterprise environments:
- If you use Google Play managed configurations, ensure the “Auto Update” policy is set to “Auto-update immediately” for Chrome. This bypasses the usual staged rollout and forces devices to pull the latest version promptly.
- For MDM platforms like Intune, Workspace ONE, or Knox, create or update a compliance policy that requires a minimum Chrome version of 150.0.7871.47. Mark non-compliant devices as “not compliant” to block access to corporate resources until they update.
- Communicate to users: because Chrome app updates do not require a device reboot, there is minimal disruption. A brief internal advisory can remind staff to launch the Play Store if an auto-update has not been received.

Home users should also verify that Google Play Protect is enabled. While Play Protect scans for malicious apps, keeping Chrome current remains the primary defense against browser-based exploits. No ad-blocking or script-blocking extension adjustments are needed; the fix is in the browser engine itself.

Outlook

Google Chrome on Android will continue to receive bi-weekly security updates as part of the normal release cadence. Further WebXR vulnerabilities are likely, given the complexity of immersive APIs. The Chromium team has signaled that they are investing in stronger process isolation for XR sessions, similar to site isolation, which would make navigation bypasses far harder to exploit. For now, CVE-2026-14034 is a low-noise reminder to keep Chrome updated. The best practice remains: enable automatic updates and check the version periodically.