CVE-2026-13822: Update Chrome Android to 150.0.7871.47

Answer first
  • Affected product: Google Chrome on Android before version 150.0.7871.47.
  • Attack prerequisite: The public description requires an attacker to persuade the user to install a crafted malicious extension. It does not describe a webpage-only trigger.
  • Published result: The malicious extension could bypass Chrome’s same-origin policy.
  • Required response: Update Chrome on Android to 150.0.7871.47 or later, then verify the complete installed version.
  • Unmanaged-device update path: Open Google Play Store → profile icon → Manage apps & device → Updates available → Google Chrome → Update. If Chrome is not listed, open its Play Store page and check whether an Update button is available.
  • Managed-device response: Use the organization’s enterprise mobility management or managed Google Play console to approve or assign the current Chrome release, enforce or schedule installation, synchronize affected devices, and verify the resulting full version in device inventory.
  • Complementary control: Review extension-installation restrictions and remind users not to install unapproved extensions. These precautions do not replace the documented fix.
  • Disclosure limit: The public record does not provide the precise vulnerable code path, a detailed exploit sequence, a public proof of concept, or CVE-specific detection artifacts.
CVE-2026-13822 affects Google Chrome on Android before version 150.0.7871.47. According to the published description, a remote attacker who persuades a user to install a crafted malicious extension could bypass the browser’s same-origin policy.
The documented remediation is version-based: move affected Chrome-on-Android installations to 150.0.7871.47 or later and collect fresh version evidence. The extension-installation prerequisite provides an additional control point, but extension hygiene is complementary rather than a substitute for updating.

Smartphone shows a Chrome update prompt beside a security dashboard blocking a malicious extension.Action Checklist for Administrators​

  • Inventory Google Chrome installations on managed Android devices.
  • Collect the complete Chrome version, including all four version components.
  • Flag every Chrome-on-Android installation earlier than 150.0.7871.47 as affected.
  • Treat missing, shortened, stale, or conflicting version data as unresolved.
  • Approve or assign an eligible Chrome release in the organization’s managed application console.
  • Enforce or schedule the application update according to organizational policy.
  • Trigger a device or application-policy synchronization where the management platform supports it.
  • Recheck inventory after the deployment window and confirm that each affected installation reports 150.0.7871.47 or later.
  • Keep devices below the remediation threshold in the active remediation queue.
  • Escalate devices whose complete Chrome version cannot be collected after a fresh check-in.
  • Review existing browser-extension installation restrictions as a complementary control.
  • Remind users not to install unexpected or unapproved extensions.
  • Track desktop Chrome and other Chromium-based browsers separately; this record establishes an Android Chrome scope.
  • Monitor authoritative vulnerability information for changes to the affected range, exploitation assessment, or available technical detail.

Documented Behavior and Its Operational Meaning​

The public description establishes a short attack sequence:
  1. An attacker persuades the user to install a crafted malicious extension.
  2. The extension runs in an affected version of Chrome on Android.
  3. The extension bypasses the browser’s same-origin policy.
The same-origin policy is a central browser isolation boundary. In simplified terms, it limits how content associated with one web origin can interact with resources associated with another. A bypass is therefore a meaningful browser security failure even though the public description requires prior installation of a malicious extension.
That prerequisite should be stated precisely. The record does not describe exploitation triggered solely by visiting a hostile webpage. It requires installation of a crafted malicious extension with user involvement. At the same time, the installation requirement does not make vulnerable versions safe: after the extension is installed, the affected browser fails to enforce the documented origin boundary.
The vulnerability is associated with CWE-346, Origin Validation Error. That classification is consistent with the same-origin policy consequence, but it does not reveal which Chrome component, extension API, function, request, message, or validation decision is defective.
The linked Chromium issue is permission-restricted, and the available public material does not provide:
  • The vulnerable source file or function.
  • The exact origin-validation failure.
  • The extension API or operation involved.
  • Required extension or host permissions.
  • The origins or resources that could be targeted.
  • A public proof of concept.
  • A malicious extension identifier.
  • CVE-specific indicators of compromise.
  • A reliable behavioral detection method.
  • A workaround equivalent to updating.
Operationally, that makes installed-version evidence the primary way to identify and close exposure. Security teams do not need a proof of concept or behavioral signature to determine whether Chrome on an Android device falls below the published remediation boundary.
The disclosure also does not establish applicability to desktop Chrome or to other Chromium-derived browsers. Shared upstream technology alone is insufficient to transfer Google Chrome for Android’s affected range to another product. Administrators should use each vendor’s own platform and version information when evaluating other browsers.

“High” and 6.5 “Medium” Describe Different Assessments​

Chromium classifies CVE-2026-13822 as High severity. The CISA-ADP CVSS 3.1 assessment displayed by NVD assigns a base score of 6.5, categorized as Medium.
Those labels reflect different assessment systems rather than an error that must be resolved by choosing one and discarding the other. Chromium’s label represents the vendor’s security classification of the browser vulnerability. CVSS uses standardized metrics designed to support comparison across vulnerability types and products.
The contributed vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
In plain English, that vector models:
  • A network attack vector.
  • Low attack complexity.
  • No pre-existing privileges.
  • Required user interaction.
  • Unchanged scope.
  • No modeled confidentiality impact.
  • High modeled integrity impact.
  • No modeled availability impact.
The required user interaction helps explain why the numerical score remains in the Medium range. Under the published description, the attacker must persuade the user to install the malicious extension. The impact portion of the vector is also specific: it models high integrity impact without assigning confidentiality or availability impact.
Reporting should not expand those metrics into consequences that the record does not identify. The available information does not establish credential theft, document theft, access to a particular account, manipulation of a specific business transaction, browser crashes, or service disruption. It supports the narrower statement that successful exploitation produces a same-origin policy bypass and has a high modeled integrity effect.
The 6.5 score should retain its attribution. It is a CISA-ADP CVSS 3.1 contribution displayed by NVD, not an independently authored NVD or NIST score. NVD had not supplied its own CVSS assessment in the provided record.
Assessment or conditionRecorded resultPractical interpretation
Affected productGoogle Chrome on AndroidScope remediation to the specified product and platform
Affected rangeVersions before 150.0.7871.47Installations below this boundary remain affected
Chromium security severityHighGoogle considers the browser implementation issue serious
CISA-ADP CVSS 3.16.5 MediumRequired user interaction and the modeled impact categories reduce the standardized score
User interactionRequiredThe attacker must persuade the user to install a crafted malicious extension
Published consequenceSame-origin policy bypassA browser isolation boundary can be crossed after the prerequisite is met
Modeled impactHigh integrity; no confidentiality or availability impactPreserve the published impact distinctions
NVD-authored CVSS assessmentNot providedDo not describe the contributed 6.5 value as an “NVD score”
The accurate risk statement preserves both assessments: CVE-2026-13822 is a High-severity Chromium issue with a contributed CISA-ADP CVSS 3.1 score of 6.5 Medium, and its public description requires installation of a malicious extension.
The supplied CISA-ADP SSVC information lists exploitation as none, automatable as no, and technical impact as partial. These are point-in-time assessment values. “Exploitation: none” means that the assessment did not identify known exploitation; it is not proof that exploitation has never happened or cannot occur. “Automatable: no” is a decision-model classification and should not be converted into unsupported claims about exact attacker effort or tooling.

Android Scope and Update Procedures​

The affected-product information identifies Google Chrome on Android and versions before 150.0.7871.47. It does not establish that Chrome on Windows, macOS, Linux, or ChromeOS is affected by this CVE, nor does it establish equivalent version boundaries for other Chromium-based browsers.
For remediation tickets and vulnerability-management records, use the complete scope:
  • Application: Google Chrome
  • Platform: Android
  • Affected condition: Version earlier than 150.0.7871.47
  • Attack prerequisite: Installation of a crafted malicious extension
  • Published result: Same-origin policy bypass
  • Remediation threshold: Version 150.0.7871.47 or later
A scanner finding that says only “Chrome below 150.0.7871.47” omits the platform condition. Likewise, an inventory entry that reports only “Chrome 150” is insufficient because it does not show whether the device is below, at, or above 150.0.7871.47.

Unmanaged Android devices​

For a device updated directly through Google Play:
  1. Open the Google Play Store.
  2. Tap the profile icon in the upper-right corner.
  3. Select Manage apps & device.
  4. Under Updates available, select See details if necessary.
  5. Find Google Chrome.
  6. Tap Update.
  7. After installation completes, open Chrome and verify the full version.
The exact update path is:
Google Play Store → profile icon → Manage apps & device → Updates available → Google Chrome → Update
If Chrome does not appear under available updates, open the Chrome application page in Google Play. If the page offers Update, install it. If it offers only Open, verify the full installed version rather than assuming the device has crossed the remediation threshold.
Google Play availability can vary by device eligibility, release distribution, account configuration, and administrative controls. A device that is not yet offered 150.0.7871.47 or later cannot be closed as remediated merely because the Play Store says no update is currently available. Keep it unresolved until the required version is installed and verified.

Managed Android devices​

For organization-managed devices, use the enterprise mobility management platform and managed Google Play workflow available in the environment:
  1. Locate Google Chrome in the managed Google Play or enterprise application catalog.
  2. Confirm that Chrome is approved for the relevant users, device groups, or organizational units.
  3. Assign the current eligible Chrome release as a required or managed application.
  4. Select the organization’s enforced, automatic, or scheduled update mode as appropriate.
  5. Confirm that no application version pin, maintenance window, staged deployment rule, or device policy is holding affected devices below 150.0.7871.47.
  6. Initiate a device synchronization or policy check-in where supported.
  7. Allow the defined deployment window to complete.
  8. Refresh application inventory and collect the complete installed Chrome version from each device.
  9. Retain devices below 150.0.7871.47 in remediation.
  10. Escalate devices that fail to check in, fail installation, report insufficient storage, or do not return a complete version.
Console labels differ among management platforms, but the required outcome does not: the managed device must install Chrome 150.0.7871.47 or later, and inventory must confirm the installed full version.
A status such as “assigned,” “approved,” “deployment initiated,” or “installation requested” is not final remediation evidence. Close the finding only after the device reports a qualifying installed version.
Reported Chrome-on-Android versionStatus under the affected rangeAdministrative response
Earlier than 150.0.7871.47AffectedUpdate and collect fresh version evidence
Exactly 150.0.7871.47Outside the stated affected rangeRetain the complete version as closure evidence
Later than 150.0.7871.47Outside the stated affected rangeMaintain normal browser update management
Only “Chrome 150” is reportedUnknownCollect all four version components
Version is missing, stale, or conflictingUnknownForce a fresh check-in and escalate if collection still fails
Chrome on another operating systemNot established as affected by this recordEvaluate using platform-specific vendor information

Extension Controls Are Complementary, Not the Fix​

Because the public description requires installation of a malicious extension, organizations should review the controls governing extension installation and user approval. These controls may reduce the chance that the prerequisite is satisfied, but they are not the documented remediation for CVE-2026-13822.
The documented fix is to move Chrome on Android to 150.0.7871.47 or later.
Complementary precautions include:
  • Instruct users not to install unexpected or unapproved browser extensions.
  • Direct users to approved application and extension distribution channels.
  • Treat unsolicited instructions to install an extension as suspicious.
  • Require users to escalate questionable installation requests through established support or security channels.
  • Apply available enterprise restrictions to extension installation where the organization’s supported Chrome and Android management environment provides them.
  • Review exception processes that allow users or administrators to install unapproved browser components.
These measures are based on the published attack prerequisite, not on a documented CVE-specific campaign. The public information does not identify a malicious extension name, distribution site, social-engineering pretext, threat actor, or active exploitation campaign. Security communications should therefore avoid presenting a hypothetical campaign as an observed one.

Verified Disclosure Timeline​

The vulnerability record developed through contributions from Chrome, CISA-ADP, and NVD/NIST. The dates below are verified record events and should be retained with their attribution.
DateRecord eventAttribution
June 30, 2026CVE-2026-13822 was published in NVDNVD
July 1, 2026The record was modified with CISA-ADP enrichmentCISA-ADP
July 6, 2026Initial analysis was recordedNIST
The Chrome-originated description supplies the core product, version, prerequisite, and consequence: Chrome on Android before 150.0.7871.47; installation of a crafted malicious extension; and a same-origin policy bypass.
CISA-ADP supplies the displayed CVSS 3.1 assessment, CWE mapping, and SSVC context. NVD presents the record and its contributed information, while the July 6 initial analysis is attributed to NIST. These distinctions matter when copying data into internal advisories, scanners, or ticketing systems. In particular, the 6.5 Medium score should remain labeled as a CISA-ADP contribution rather than being shortened to an NVD-authored score.
The restricted Chromium issue continues to limit public technical precision. That does not prevent remediation because the affected platform and version boundary are explicit.

Verification and Closure Criteria​

Remediation should be measured against concrete evidence rather than deployment intent.
Inventory source: Use the organization’s authoritative Android device or application inventory. Acceptable sources may include enterprise mobility management inventory, managed application reporting, or direct device verification for unmanaged systems. Record which source produced the version evidence.
Full-version requirement: The evidence must contain all four components of the Chrome version. “Chrome 150,” “current,” “updated,” or “compliant” is not sufficient to compare the installation with 150.0.7871.47.
Remediation threshold: A Chrome-on-Android installation can leave the affected queue only when the authoritative inventory reports 150.0.7871.47 or later. Versions earlier than that threshold remain affected.
Recheck timing: Recheck after the organization’s defined deployment window or, for an individual unmanaged device, immediately after the Play Store update completes. Managed devices should perform a fresh policy or inventory check-in before the result is accepted. If inventory data has an age field, require data captured after the update attempt.
Escalation condition: Escalate any managed device whose full Chrome version cannot be collected after a fresh check-in and the normal inventory refresh interval. Also escalate devices that remain below the threshold, repeatedly fail installation, do not check in, or return conflicting application versions. Unknown version status is unresolved exposure, not proof of compliance.
The closing decision is therefore direct: if authoritative inventory shows Google Chrome on Android below 150.0.7871.47, update it. If inventory shows 150.0.7871.47 or later, retain that full version as evidence. If the complete version cannot be collected, keep the device open and escalate it for investigation.
CVE-2026-13822 does not require a speculative exploit narrative to justify action. Its public description identifies the prerequisite, the browser boundary that can be bypassed, the affected Android version range, and the remediation threshold. Update affected installations, verify the resulting full version, and use extension-installation controls as an additional layer rather than a replacement for the fixed Chrome release.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:52-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:52-07:00
    Original feed URL
  3. Related coverage: developer.chrome.com
  4. Related coverage: chromium.org
  5. Official source: bughunters.google.com
 

Back
Top