Google shipped an urgent fix for Chrome on Android on June 30, 2026, closing a data-stealing hole in the browser’s WebXR component. The vulnerability, tracked as CVE-2026-14008, allows a remote attacker to read potentially sensitive information from memory by luring a victim to a specially crafted webpage. With Chrome version 150.0.7871.47 rolling out to the Play Store, Android users must patch immediately.
Chrome 150.0.7871.47 patches a medium‑severity WebXR flaw
The June 30 update to Chrome for Android includes only one documented security fix: CVE-2026-14008. Google classifies the bug as medium severity, but the mechanics of the flaw make it a serious privacy concern for anyone who browses the mobile web.
An uninitialized memory read in the WebXR runtime means the browser can accidentally expose chunks of memory that belong to other tabs or processes. A remote attacker can set up a website that leverages WebXR — the API that powers virtual and augmented reality experiences in the browser — and then read that stray memory. In practical terms, the attacker could harvest login tokens, cookies, autofill data, or even passwords that happen to be loaded in memory at the time.
The issue, reported by an external researcher through Google’s Vulnerability Reward Program, exists only in Chrome for Android. Desktop versions (Windows, macOS, Linux) and Chrome on iOS are not affected. WebXR support on Android is enabled by default, so the average user is vulnerable until they apply the patch.
What the flaw means for you
For everyday Android users
If you use Chrome on your phone or tablet, an attacker could steal sensitive data simply by getting you to visit a malicious website. The attack requires no additional clicks, downloads, or permissions — just browsing to a page that activates WebXR. Because the flaw leaks memory contents indiscriminately, an attacker could snag anything from social‑media session cookies to cached credit‑card numbers.
There are no reports of active exploitation in the wild yet, but security researchers often see scanning and proof‑of‑concept attempts within days of a public disclosure. The medium‑severity rating reflects the fact that the attacker needs to lure a victim to a site they control, which is a low barrier in today’s world of phishing links and malvertising.
For Windows users with Android devices
Although the bug lives inside Chrome for Android, it matters to Windows users who sync their phones via Microsoft’s Phone Link, use the same Google account across devices, or rely on password managers that bridge the gap. If your mobile Chrome session contains tokens for services you also use on Windows — such as Microsoft 365, OneDrive, or even corporate VPNs — a memory leak on the phone could give an attacker a stepping stone into your broader digital life.
Think of it as a reminder that cross‑device hygiene is essential. A single unpatched app on one device can undermine the security of everything else on your network.
For enterprise IT administrators
Managed Android devices that haven’t updated Chrome to at least 150.0.7871.47 are vulnerable. If your organization relies on Android phones for email, Teams, or line‑of‑business apps accessed through the browser, an unpatched Chrome becomes a liability. The fix should be pushed through your mobile device management (MDM) platform immediately, and any compliance policies that block outdated browser versions should be applied.
How we got here: WebXR and the uninitialized‑memory pitfall
WebXR landed in Chrome for Android back in 2018 (version 79) as a way to bring immersive VR and AR experiences into the browser without plugins. The API handles everything from 3D rendering to sensor access, and its complexity has made it a magnet for security researchers. Several medium‑ and high‑severity bugs in WebXR have been patched since its debut, often involving memory‑handling mistakes in the underlying C/C++ code.
Uninitialized memory bugs arise when a program reads from a block of RAM that hasn’t been properly cleared. Instead of getting a predictable value, the program sees whatever happened to be left behind by a previous operation — sometimes the contents of another process, an encryption key, or a password. In this case, the Chrome team determined that the WebXR code was reading memory without first making sure it was initialized, creating a data‑leakage vector.
The flaw was disclosed on June 30, 2026, the same day the stable‑channel update appeared. Google’s policy is to release details after a fix is ready, so there is no grace period for users who delay the update. The company awarded an undisclosed bounty to the researcher who found CVE‑2026‑14008 under its Vulnerability Reward Program, which has paid out tens of thousands of dollars for similar mobile‑specific findings.
What to do now: update Chrome to version 150.0.7871.47
Patching is straightforward and takes less than a minute.
-
Check your current version – Open Chrome on your Android device, tap the three‑dot menu, go to Settings > About Chrome. The version number appears at the top. If it shows 150.0.7871.47 or higher, you’re safe.
-
Update via the Play Store – If you don’t have the latest version, open the Google Play Store, tap your profile icon, select Manage apps & device, then find Chrome under Updates available and tap Update.
-
Enable automatic updates – In the Play Store, go to Settings > Network preferences > Auto‑update apps and choose Over Wi‑Fi only or Over any network to ensure Chrome updates without manual intervention in the future.
-
Verify with a restart – After updating, restart Chrome. The new version should be active immediately, closing the memory‑leak hole.
For IT admins, deploy the update through your MDM console. Many platforms allow you to set a minimum version for Chrome and automatically force the update. If your compliance checks flag devices with Chrome < 150.0.7871.47, quarantine or block those devices until they’re patched.
Outlook: more XR scrutiny ahead
WebXR is likely to face tougher security reviews as Google integrates it more deeply with emerging features like WebGPU and WebAssembly. Developers building VR and AR applications for the browser need to stay current not just with Chrome’s stable channel, but also with Canary and Beta builds where bugs like this are often caught first. For everyone else, the lesson is simple: turn on automatic browser updates on every device you own. Cybercriminals rely on the gap between disclosure and patching, and you never want to be the one who stayed on the old version for “just another day.”