Google has published a security advisory for CVE-2026-13868, a newly disclosed vulnerability affecting Chrome on Android. The flaw, rated medium severity, is fixed in version 150.0.7871.47. Anyone running an older build should update immediately through the Play Store.
The patch lands in Chrome 150.0.7871.47
The National Vulnerability Database (NVD) entry for CVE-2026-13868 describes it as an "inappropriate" condition — though at the time of writing, the full technical description remains truncated. Google’s own advisory for Chrome on Android typically provides more detail, but as with many Chrome vulnerabilities, specifics are withheld until a majority of users have applied the update.
What we know for certain:
- CVE identifier: CVE-2026-13868
- Severity: Medium (NVD base score not yet published, but Google’s internal rating is “Medium”)
- Affected versions: Chrome for Android earlier than 150.0.7871.47
- Fix version: 150.0.7871.47
- Disclosure source: The National Vulnerability Database, with the CVE record supplied by an unspecified party
The version jump — from prior 150.x builds to 150.0.7871.47 — indicates a targeted fix rather than a full feature update. Google uses the fourth octet (“47” here) for minor patches and security backports. This aligns with the Chrome team’s standard practice of pushing out-point releases for high-severity bugs and occasionally for medium ones when they present a notable risk.
What this means for you
If you use Chrome on an Android phone or tablet
The practical impact is straightforward: a medium-severity vulnerability has been identified and patched. Medium flaws in Chrome are not typically the kind that let remote attackers take over a device with a single click, but they can still lead to information disclosure, denial of service, or — when chained with another bug — privilege escalation. Because Chrome on Android renders web content from countless untrusted sources, any unchecked vulnerability creates a small, persistent window of risk.
Update now. Open the Play Store, search for Chrome, and tap “Update.” If you don’t see the update yet, it may still be rolling out; check again in a few hours. To confirm you’re protected, open Chrome, tap the three-dot menu > Settings > About Chrome. The application version should be 150.0.7871.47 or higher.
If you manage Android devices at work
For IT administrators using mobile device management (MDM) or enterprise policies, this is a textbook case of why enforcing automatic Chrome updates — or at least a prompt patch cadence — matters. The CVE does not currently have a known public exploit, but medium-severity Chrome bugs sometimes get weaponized after a public disclosure. Consider:
- Checking your MDM dashboard for any devices still running Chrome versions below 150.0.7871.47.
- Pushing the Chrome update via managed Play Store or your EMM console.
- Reviewing enterprise Chrome policies to ensure that background sync and auto-update are permitted on managed devices.
No change to user-facing features is included; this is purely a security fix.
If you’re a developer
Developers who rely on Chrome’s WebView for in-app browsing should note that the same CVE could affect WebView if the underlying Chromium engine is vulnerable. The fixed version of Chrome also updates the system WebView when installed via the Play Store on Android 7 and newer, but standalone WebView packages may need a separate update. Confirm that the WebView implementation in use — whether the Chrome-backed WebView or a custom solution — runs on Chromium 150.0.7871.47 or later.
How we got here
Chrome on Android follows the same six-week major release cycle as its desktop sibling, punctuated by smaller point releases that address security or stability regressions. Version 150 shipped as a major milestone in the Stable channel several days before this CVE emerged, so 150.0.7871.47 is one of the first post-release patches for the 150 branch.
Google labels Chrome vulnerabilities according to an internal severity rating — Low, Medium, High, or Critical — based on the worst-case impact if left unpatched and assuming a standard user configuration. Medium typically means the bug has limited reach: perhaps it requires specific conditions, user interaction, or yields only partial exposure. That said, Chrome’s security team has raised the severity of flaws before, so the rating could be revised if later analysis reveals a more dangerous exploitation path.
Over the past year, Chrome for Android has received dozens of similar medium-severity patches. Most are discovered internally or reported through Google’s Vulnerability Reward Program. CVE-2026-13868, however, appears to have entered the public database via an external reporter — the NVD entry credits a “supplied” source, meaning it may have come from a third-party researcher or an organization that tracks vulnerabilities.
Android fragmentation adds a wrinkle: unlike Chrome on desktop, which updates itself automatically on most systems, Android updates depend on the Play Store and can be delayed by device manufacturers, carrier approval, or user settings. Consequently, a high percentage of Android devices run older Chrome versions for days or weeks after a patch drops. Google doesn’t publish real-time adoption figures, but historical data suggests that even critical fixes take several days to reach 80% of the active install base.
What to do now
-
Check your Chrome version. Open Chrome, go to chrome://version in the address bar, or tap the three-dot menu > Settings > About Chrome. Look for “Application version.” If it’s lower than 150.0.7871.47, proceed to step 2.
-
Update via the Play Store. Launch the Google Play Store, search for “Google Chrome,” and tap Update. If you see “Uninstall” and “Open” instead of “Update,” the latest version is already installed.
-
Enable auto-update. In the Play Store’s Chrome listing, tap the three-dot menu and check Enable auto update. This ensures future patches download without manual intervention.
-
Re-check for a stale WebView (advanced users or developers only). Go to Settings > Apps > Android System WebView and check its version. If it’s not showing the Chromium engine at version 150.0.7871.47, head to the Play Store entry for “Android System WebView” and update that as well.
-
If you’re an IT admin, push the update through your management console and verify that critical users — executives, finance, anyone handling sensitive data — are not running an older build. Consider a temporary conditional access policy if your platform supports it, though for a medium-severity bug that’s usually overkill.
There is no evidence yet of active exploitation, so you’re not racing against a zero-day. But the safest window is always the narrowest one.
Outlook
The CVE page will likely be updated with a full description in the coming days as Google completes its disclosure process. Expect a Chromium bug report to appear, linking to the code commit that fixes the issue — if the flaw is interesting, security researchers will reverse-engineer it quickly.
For everyday users, the takeaway is simple: turn on automatic Chrome updates and check your version periodically. Medium flaws rarely make headlines, but they add up. Each patch you ignore is a loose brick in the wall. Google has already shipped the fix; your job is just to install it.