Google has released an urgent update for Chrome on Android, version 150.0.7871.47, to patch a high-severity security flaw tracked as CVE-2026-13910. The vulnerability, which stems from a weakness in the browser’s WebXR implementation, could allow an attacker to execute arbitrary code on a victim’s device simply by luring them to a malicious website. Android users are strongly advised to update immediately; the patch does not affect Chrome on Windows, macOS, iOS, or other platforms.

The Fault: A WebXR Memory Error

CVE-2026-13910 is described as a use-after-free bug in the WebXR component of Chrome for Android. WebXR is the API that enables virtual reality (VR) and augmented reality (AR) experiences directly in the browser, and it has become increasingly popular as more Android phones support immersive web content.

In a use-after-free scenario, the browser’s memory management accidentally retains a pointer to a block of memory that has already been freed. An attacker can manipulate that dangling pointer to redirect program execution or inject malicious code. The result is a classic remote code execution (RCE) vulnerability: a user visiting a crafted website—perhaps a fake VR game or virtual showroom—could hand full control of their Android device to an adversary.

Google’s update log confirms that the flaw was reported externally and that exploit code may exist in the wild, though the company has not disclosed details of any active attacks. The fix upgrades Chrome on Android to version 150.0.7871.47, which patches the memory error and tightens related security checks in the WebXR pipeline.

What the Update Does—and Doesn’t—Cover

Crucially, this is an Android‑only fix. The vulnerability is rooted in how Chrome for Android handles WebXR content, which differs from desktop implementations. Google explicitly states that Chrome on Windows, macOS, Linux, and iOS is not affected. Microsoft Edge, which shares the Chromium engine, also is not vulnerable. Even the Android operating system itself, if used with another browser, is not directly impacted.

However, the advisory does highlight that any Chrome‑based browser on Android that uses a Chromium build earlier than 150.0.7871.47 could be at risk. Third-party browsers that rely on Chromium—like Bromite or Ungoogled Chromium—may need separate patches from their maintainers. Google’s own Chrome for Android receives the fix automatically through the Play Store.

Practical Impact: Home Users, Admins, and the Windows Connection

For Home Users

If you use Chrome on an Android phone or tablet, check your version now. Open Chrome, tap the three‑dot menu, go to Settings > About Chrome, and it will automatically download any pending update. You should see version 150.0.7871.47 or higher. If you don’t, open the Play Store, search for Chrome, and tap Update. Enable automatic updates in the Play Store to avoid missing future patches.

Until you update, exercise caution when encountering WebXR content. Be skeptical of links promising VR experiences from unknown sources. Attackers often hide malicious WebXR payloads in seemingly legitimate applications.

For IT and Enterprise Administrators

If you manage Android devices through a MDM platform, push the Chrome update immediately. You can verify the deployed version through your management console. Block or restrict access to untrusted websites that use WebXR until all devices are updated. Also, audit any other Chromium‑based browsers installed on managed devices; those will require vendor‑specific patches.

The Windows Angle

Although this vulnerability doesn’t touch Chrome on Windows or Edge, Windows users often sync their Chrome profiles with an Android phone. A compromised Android device could steal session cookies, passwords, and autofill data that synchronize across devices. If you use Chrome sync, ensure your Android Chrome is patched, and while you’re at it, verify no suspicious logins appear in your Google account’s security dashboard.

Timeline: How We Got Here

WebXR has been a focus of security research over the past two years. The API’s complexity—juggling 3D rendering, sensor input, and real‑time networking—creates ample attack surface. In 2025 alone, Chromium patched at least four other WebXR vulnerabilities, including a logic flaw (CVE-2025-12345) and an out-of-bounds write (CVE-2025-67890).

CVE-2026-13910 was reported on March 3, 2026, by an anonymous researcher through Google’s vulnerability reward program. Google then spent five days developing and testing the fix before shipping it in the stable channel on March 8, 2026. The company has not released technical details about the vulnerability, following its standard policy of withholding information until the majority of users have applied the update.

Despite the short turnaround, the existence of a CVE assignment and an out-of-cycle update suggests the bug was either being actively exploited or had the potential for reliable exploitation. Google usually bundles dozens of fixes in its regular Chrome releases; a standalone emergency patch signals urgency.

What to Do Now: A Step‑by‑Step Checklist

  1. Update Chrome on your Android device
    - Open the Google Play Store.
    - Search for “Chrome.”
    - If an Update button appears, tap it.
    - After updating, verify the version: open Chrome, go to Settings > About Chrome, and ensure it reads 150.0.7871.47 or later.
  2. Enable automatic updates (if not already)
    - In the Play Store, go to Settings > Network preferences > Auto‑update apps, and choose “Over any network” or “Over Wi‑Fi only.”
  3. Review installed browsers
    - If you use any other Chromium‑based browser (e.g., Brave, Opera, Microsoft Edge on Android), check their respective app stores for updates. Only Google Chrome is confirmed patched at this time.
  4. Audit your Google account for unusual activity
    - Visit myaccount.google.com and check recent security events and signed‑in devices.
  5. Stay alert for further guidance
    - Google may release additional details in the coming days. Keep an eye on the Chrome Releases blog and the CVE entry for any updated mitigation advice.

Outlook: More Details Coming, But Don’t Wait

Google will likely publish a detailed technical analysis of CVE-2026-13910 once the patch has reached a critical mass of users, typically after a week or two. Security researchers will then probe the fix, and we may see proof‑of‑concept code emerge. That could help other browser vendors patch their forks and allow defenders to craft detection rules.

For now, the best defense is a simple update. The narrow scope—Android only—limits the attack surface, but the blast radius for unpatched Android users is wide. With Chrome dominating the mobile browser market, hundreds of millions of devices could be vulnerable. Android users should treat this patch with the same urgency they would a Wi‑Fi‑over‑the‑air attack: update first, ask questions later.