Google has pushed an urgent security fix for Chrome on Android, addressing a newly disclosed vulnerability identified as CVE-2026-13887. The company is rolling out the patch in version 150.0.7871.47 of the browser, and users running earlier builds are at risk. Android device owners should update Chrome immediately—the flaw is confirmed to affect the mobile version, but Google has not found evidence of it impacting Chrome on desktop platforms.

What Actually Changed

Google released Chrome 150.0.7871.47 for Android, an update exclusively targeting CVE-2026-13887. As with many critical vulnerabilities, Google is withholding technical details to protect users until a majority have applied the patch. The Chrome Releases blog notes that the vulnerability could allow an attacker to execute arbitrary code or cause a crash, though the exact impact remains unspecified.

This is not a routine update; the version jump from the previous stable build indicates an emergency fix was merged out-of-band. The Android-only nature of the flaw suggests it resides in components specific to the mobile platform, such as the rendering engine’s handling of touch events, media playback, or WebView. Desktop Chrome, built on a different UI framework, appears unaffected.

What It Means for You

For everyday users, the risk is straightforward: if you use Chrome on an Android phone or tablet, your device could be compromised by simply visiting a malicious website. An attacker could exploit the flaw to steal data, install malware, or gain control. Because Chrome is deeply integrated into Android’s ecosystem—including WebView—the vulnerability could extend beyond the browser to in-app browsing in social media, email clients, and other applications.

For IT administrators managing enterprise fleets, the stakes are amplified. Unpatched Chrome becomes a vector for phishing or lateral movement attacks. MDM solutions that enforce minimum app versions need to be updated to require 150.0.7871.47 or later. Additionally, any Android app that embeds a WebView might inherit the vulnerability if it doesn’t override the system Chrome components, so admins should push OS-level security patches that also update the underlying WebView.

Developers of Android apps that use WebView should test their applications against the patched version and consider updating their target SDK if they rely on specific Chrome behaviors.

How We Got Here

Chrome’s regular release cycle follows a six-week cadence, with stable updates landing roughly every month. Critical bugs sometimes force Google to accelerate patches—these “emergency” or “out-of-band” updates have become more frequent as browser complexity grows. In 2024, Google patched over 40 zero-day vulnerabilities across Chrome, many actively exploited before a fix was available.

CVE-2026-13887 is the latest in a series of Android-specific Chrome vulnerabilities. Just last year, CVE-2025-0291 was a high-severity flaw in Chrome’s V8 JavaScript engine that also only affected Android, highlighting that the mobile platform’s implementation often diverges enough from desktop to harbor unique bugs. Google’s decision to restrict details until a broad update rollout is standard practice; the company typically publishes technical analysis after a few weeks.

What to Do Now

If you’re a home user:

  1. Open the Google Play Store on your Android device.
  2. Search for “Google Chrome” or go to My apps & games > Updates.
  3. If an update is available for Chrome, tap Update. The version number should show 150.0.7871.47 or higher.
  4. To verify, open Chrome, tap the three-dot menu, go to Settings > About Chrome. The version will be displayed there.
  5. Enable automatic updates in the Play Store to avoid missing future patches.

For enterprise and MDM admins:

  • Confirm that your MDM policy enforces a minimum Chrome version of 150.0.7871.47 for all managed Android devices.
  • Check for any Chrome-related App Protection Policies that could be violated by an outdated version.
  • Audit devices and generate a compliance report; force updates remotely on non-compliant units.
  • If your organization uses Android Enterprise work profiles, ensure the work profile Chrome is also updated (it may need separate approval).
  • Monitor Google’s Chrome Enterprise release notes for any additional guidance on this CVE.

Developers:

  • If your app uses WebView, test on devices updated to the latest Chrome/WebView. Consider forcing a minimum WebView version in your code if critical.
  • Update any browser automation or testing scripts that pin Chrome versions to account for .47.

Outlook

Google is likely to release more information about CVE-2026-13887 in the coming weeks through its Chrome Releases blog and the Chromium bug tracker. The CVE entry on the National Vulnerability Database will also be updated with severity scores once the analysis is complete. The emergency release suggests the vulnerability is being actively exploited or is at high risk. For Android users, the message is clear: don’t postpone this update. Future Chrome releases will continue to address security flaws; staying current is the only defense.