Google has rushed out an emergency update for Chrome on Android to plug a serious security hole tracked as CVE-2026-13929. If your phone or tablet is running any build of Chrome older than version 150.0.7871.47, your device is exposed and you need to patch it now.

What’s actually being patched

The vulnerability lives inside the main browser engine — the part of Chrome that renders web pages and processes content. Google is keeping technical details under wraps for now, as is standard practice when a flaw could be actively exploited. What we do know is that the fix is sealed into Chrome 150.0.7871.47, a point-release that has no other feature changes. CVE-2026-13929 is the only CVE addressed in this rollout, signaling that the bug was severe enough to warrant a standalone patch outside Google’s normal bi‑weekly desktop and four‑week Android update rhythm.

Security researchers familiar with Chrome’s release cadence note that out‑of‑band fixes often accompany zero‑day vulnerabilities — those that bad actors are already exploiting in the wild before a patch is available. For the moment, Google has not confirmed in‑the‑wild exploitation, but the urgency of the update suggests the risk is material.

Why this update is different

Chrome for Android usually gets updated on the same 28‑day cycle as the desktop browser, with security‑only patches slipped into the regular release train. A mid‑cycle, single‑CVE push means the Chromium team and the Android security group hit the panic button. That kind of response is reserved for bugs that allow an attacker to take control of a device just by getting you to visit a web page — no extra interaction required.

Because the underlying Chromium code is shared with countless other browsers (Microsoft Edge, Brave, Opera, Samsung Internet, and more), there’s a strong chance similar fixes will appear in those products soon. For now, the officially confirmed patch is for Google’s own Chrome browser on Android.

What CVE-2026-13929 means for you

For everyday Android users:
If you use Chrome as your primary browser — and statistically, you do — your device could be silently compromised through a malicious website, an ad network, or even a rigged PDF opened inside the browser. The update takes less than a minute to install. Open the Play Store, search for “Chrome,” and hit “Update” if the button is available. Then verify the version number in Chrome’s Settings > About Chrome. The string should read 150.0.7871.47 or higher — no lower build number is safe.

For power users and enthusiasts:
Auto‑updates are sometimes deferred by battery optimization or background‑data restrictions. If you’re running a custom ROM, an older Android version, or have fiddled with Play Store auto‑update settings, you may not have the patch. Manually trigger the update as described above, and consider switching auto‑update on for Chrome if you had it off. Rooted devices should still update from the Play Store; sideloading from APK‑mirror sites is not recommended unless you can verify the SHA‑256 hash against the official Google‑published signature.

For IT admins and enterprise mobility managers:
Managed devices enrolled in Intune, Workspace ONE, or other MDM solutions won’t get the patch automatically unless Chrome is configured for managed updates. Check your compliance policies immediately. The minimum required OS version for Chrome 150 on Android is Android 8 (Oreo), so any device stuck on an earlier release (Android 6 or 7) will never receive this fix through official channels. Those devices must either move to a supported OS or have Chrome disabled entirely and replaced with a browser that still receives security updates.

How we got here

Chrome’s security posture is built on rapid patching and a transparent disclosure policy — usually. When a bug comes through the Chromium bug tracker or is reported through Google’s Vulnerability Rewards Program, it’s triaged, assigned a severity rating, and slotted into the next planned release. Critical or high‑severity bugs are backported to the current stable channel. Zero‑day vulnerabilities that are being actively exploited get an out‑of‑band fix, typically within 72 hours of discovery.

The CVE‑2026 identifier tells us this vulnerability was reserved in the 2026 calendar year, meaning it’s a newly discovered problem, not something that’s been brewing for years. The jump to version 150 follows Chrome’s accelerated numbering scheme — earlier in the 2020s, Chrome moved to a roughly four‑week major cycle, and version 150 lands in the spring of 2026.

The last time Chrome for Android received an emergency, single‑CVE patch was CVE‑2025‑5678 in late 2025, a sandbox‑escape bug that was chained with a JavaScript engine flaw to push spyware onto targets in the Middle East. That incident pushed Google to shorten the Android patch gap to match desktop more closely, but mid‑cycle surprises like today’s CVE‑2026‑13929 prove that no cycle is fast enough for a zero‑day.

What to do right now

  1. Open the Google Play Store on your Android phone or tablet.
  2. Search for “Google Chrome.” If you see an “Update” button, tap it. If you already have version 150.0.7871.47 or later, you’ll see “Open” instead.
  3. Confirm the version. Inside Chrome, tap the three‑dot menu > Settings > About Chrome. The Application version field should show 150.0.7871.47 and the build number should match. Do not trust the version shown in Android’s Settings > Apps list — that sometimes lags behind.
  4. Enable auto‑update if you haven’t. Go to Play Store settings > Auto‑update apps, and choose “Over any network.” On metered connections you might want “Over Wi‑Fi only,” but Chrome security patches are typically small (under 30 MB).
  5. Enterprise admins: Validate that your organization’s managed Play Store has approved the latest Chrome update. For devices that are stuck on Android 7 or older, issue a migration plan immediately.
  6. Reboot your device. While not strictly necessary, a restart ensures all running Chrome processes (including WebView) are fully cycled.

Outlook

Google will likely publish a full technical write‑up of CVE‑2026-13929 in two to four weeks, once a critical mass of users have applied the patch. At that point, we’ll learn whether the bug allowed remote code execution, information disclosure, or privilege escalation — and whether it was chained with other exploits. Keep an eye on the Chrome Releases blog and the Android Security Bulletin for updates. In the meantime, treat any device running a pre‑150 build of Chrome as potentially compromised and prioritize the update over all other routine maintenance.