CVE-2026-13943: Update Chrome Android to 150.0.7871.47

CVE-2026-13943 affects Google Chrome on Android before version 150.0.7871.47. Chrome’s description says a remote attacker can use crafted HTML to obtain potentially sensitive information from browser-process memory. CISA-ADP’s assessment requires user interaction but no attacker privileges and scores the direct impact as high for confidentiality, with no integrity or availability impact. Update affected Android installations and verify that the complete installed Chrome version is 150.0.7871.47 or later.
As a general Android UI path, users can usually find the version under Chrome > three-dot menu > Settings > About Chrome and obtain application updates through Chrome’s listing in the Google Play Store. Menu names and locations can vary by Android release, device manufacturer, and Play Store version. The decisive check is the complete Chrome version shown after the update attempt, not whether an update button was selected.
WindowsForum scope check: Do not open Windows Chrome findings from this Android-scoped CVE solely because NVD links a desktop Chrome release note.

A smartphone shows Chrome’s About page beside Google Play, code screens, memory readouts, and a security shield.What the Vulnerability Discloses—and What It Does Not​

Chrome categorizes CVE-2026-13943 as an uninitialized-use vulnerability in CSS and maps it to CWE-457, Use of Uninitialized Variable. In general, this weakness occurs when software reads or uses a value before placing that memory in a dependable initial state. Stale or unintended information can then influence behavior or become observable.
The Chrome-originated description presented by the National Vulnerability Database says crafted HTML can obtain potentially sensitive information from process memory in affected Chrome-on-Android versions. That establishes an information-disclosure risk, but the disclosed record does not identify the specific data recoverable through the flaw.
The associated Chromium issue, 513204116, is permission-restricted. Public material therefore does not provide the trigger, proof of concept, affected memory structures, disclosure reliability, or examples of successfully recovered information. “Process memory” defines a technical location; it is not a verified list of exposed credentials, cookies, tokens, files, account records, or other data.
The available record also does not establish arbitrary file access, complete memory dumping, sandbox escape, application installation, Android compromise, data modification, or service disruption. Those limits should prevent exaggerated impact claims without minimizing the documented confidentiality failure.

Severity Supports Prompt, Proportionate Remediation​

CISA-ADP contributed the visible CVSS 3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
That vector produces a base score of 6.5, rated Medium. It is a CISA-ADP contribution displayed by NVD, not an NVD-authored CVSS assessment.
The vector describes a network-reachable vulnerability with low attack complexity, no privileges required, required user interaction, unchanged scope, high confidentiality impact, and no scored integrity or availability impact. Based on the UI:R value and Chrome’s crafted-HTML description, it is reasonable to infer that a target must encounter the crafted web content. The record does not independently document a campaign-specific delivery workflow, so examples such as malicious links, advertisements, messages, or redirects should not be reported as confirmed methods used for this CVE.
“Low attack complexity” does not prove that exploitation is technically easy to develop. It means the scoring assessment does not depend on unusual conditions outside the attacker’s control. Likewise, “privileges required: none” means the modeled attacker does not need prior authorized access; it does not add capabilities beyond the documented information disclosure.
CISA-ADP’s SSVC contribution records exploitation as none, automatable as no, and technical impact as partial. These are point-in-time assessment fields, not guarantees that exploitation has never happened or will not emerge. The public record does not identify active exploitation, a public proof of concept, a known attacker, a validated exploit chain, or CVE-specific indicators of compromise.
Taken together, the evidence supports a patch promptly and verify response. It does not support treating every affected device as compromised or initiating an emergency device-isolation campaign solely because the vulnerable version is installed.

Keep the Platform and Version Boundary Intact​

The NVD configuration identifies Google Chrome in an Android context and states that versions before 150.0.7871.47 are affected.
Deployment stateProduct and platformVersionPublished statusOperational meaning
ExposedGoogle Chrome on AndroidEarlier than 150.0.7871.47AffectedInside the NVD-stated affected range
Threshold metGoogle Chrome on Android150.0.7871.47 or laterOutside the stated affected rangeMeets the published threshold
Not establishedGoogle Chrome on Windows, macOS, or LinuxAny versionNot proven affected by this recordRequires separate platform-specific evidence
The complete four-part version matters. A device reporting 150.0.7871.46 remains below the threshold even though it runs milestone 150. A result that reports only “Chrome 150” is insufficient to resolve the finding.
Version 150.0.7871.47 or later is best described as meeting the published threshold or being outside the NVD-stated affected range. That boundary does not prove that an update is immediately available through every Android distribution channel, on every device, or in every region. It also should not be described as proof that every later distribution state contains a particular corrected binary unless Chrome supplies that additional release detail.
The Android condition is equally important. NVD’s desktop Chrome release-note reference does not independently declare Windows, macOS, or Linux affected. Reference links can provide context without expanding the affected-product configuration.
The record also does not establish applicability to Android itself, Microsoft Edge, or every Chromium-derived browser. Shared Chromium ancestry is not enough to prove that another product contains the affected code, exposes the same path, or follows Chrome’s version boundary. Each browser requires its own vendor statement or other product-specific evidence.

Why the Restricted Chromium Issue Matters​

Chromium issue 513204116 is not publicly readable through the supplied material. Its restricted status establishes that the report cannot currently be reviewed publicly, but it does not establish why access is restricted or when additional details may appear.
Without the issue content, defenders cannot independently determine which CSS operation triggers the flaw, how repeatable the disclosure is, how much information may be returned, or which browser state affects the result. “Uninitialized Use in CSS” identifies a weakness class and subsystem but not a complete exploit mechanism.
This uncertainty cuts in both directions. The absence of a public proof of concept is not a reason to dismiss a browser memory-disclosure vulnerability. It is also not a basis for claiming reliable extraction of passwords, session material, encryption keys, personal records, or arbitrary memory.
The supported remediation decision does not require those missing details. Administrators can act on the named product, Android platform condition, affected-version range, and measurable version threshold without speculating about the restricted report.

Android Update and Verification Procedure​

The following is a general navigation path rather than a universal interface specification:
  1. Open Chrome on the Android device.
  2. Open Chrome’s menu and locate Settings.
  3. Open About Chrome or the equivalent version-information page.
  4. Record the complete installed version.
  5. If the version is earlier than 150.0.7871.47, locate Google Chrome in the Google Play Store.
  6. Install an available Chrome update through the normal application-update interface.
  7. Return to Chrome’s version-information page.
  8. Confirm that the displayed version is 150.0.7871.47 or later.
Android, device-manufacturer, Chrome, and Play Store interface changes may alter the exact labels or menu placement. If the navigation differs, users should use the device’s normal method for viewing the installed Chrome application version and opening Chrome’s Play Store listing.
Selecting Update, seeing an update offered, or assuming automatic updates are enabled does not demonstrate the resulting installed version. The finding is resolved when current evidence shows that the application meets the published threshold.
Users must check the Chrome application version, not the Android version or Android security-patch date. Those values describe different software components and cannot substitute for the Chrome version named in this CVE.

Fleet Remediation Is a Version-Evidence Problem​

Organizations need a narrow, product-neutral objective: identify relevant Android devices, determine the complete installed Google Chrome version, remediate versions below 150.0.7871.47, and collect fresh version evidence afterward.
The CVE record does not document the capabilities, reporting fields, deployment behavior, or enforcement options of any particular inventory or device-management product. Administrators should consult the documentation for the tools they use rather than assume that a platform can collect a specific field, install the update, or prove the resulting application state.
Fleet stateMeaningRequired action
Confirmed exposedAndroid Chrome is earlier than 150.0.7871.47Remediate and recheck
Threshold metAndroid Chrome is 150.0.7871.47 or laterRecord the verified version
Update action unverifiedAn update was requested or attempted, but the resulting version is unknownObtain current version evidence
UnknownVersion information is missing, incomplete, stale, or conflictingKeep unresolved and investigate
Different browserThe application is not Google Chrome for AndroidCheck that vendor’s own information
Desktop ChromeChrome is running on Windows, macOS, or LinuxDo not mark affected from this record alone
An update assignment and an installed-version observation answer different questions. The first records an attempted administrative action; the second determines whether the device is currently inside or outside the stated affected range.
Missing information should not be silently treated as compliant. An unknown device is not confirmed vulnerable, but it is also not verified as meeting the threshold. Where inventory reports only a major version, administrators need another trustworthy observation of the full version string.

Action Checklist for Administrators​

  • Identify Google Chrome installations on Android devices within the defined management scope.
  • Collect the complete four-part installed Chrome version.
  • Flag confirmed versions earlier than 150.0.7871.47.
  • Treat missing, truncated, stale, or conflicting version information as unresolved.
  • Remediate affected installations through the organization’s supported application-update process.
  • Collect fresh version evidence after the remediation attempt.
  • Close the finding only when current evidence shows version 150.0.7871.47 or later.
  • Confirm that the identified application is Google Chrome rather than another Chromium-derived browser.
  • Do not substitute the Android operating-system version or security-patch date for the Chrome version.
  • Exclude Windows, macOS, Linux, ChromeOS, Edge, and other browser findings created solely through generic product-name or Chromium matching.
  • Do not treat an affected version as proof that exploitation or information loss occurred.
  • Monitor authoritative records for changes in affected scope, technical detail, version boundaries, or exploitation status.
Organizations may prioritize remediation using their normal risk framework. Device role, access to sensitive services, and business criticality can inform scheduling, but they should not be presented as evidence that this vulnerability has exposed a particular account, application, or data type.

What Windows-Centric Teams Should Do​

For Windows-focused security teams, the most important task is correct routing and scope control.
A scanner or vulnerability platform may associate the CVE with desktop Chrome because NVD includes a desktop release-note reference or because a correlation rule matches the generic product name. Neither condition overrides the Android-specific product configuration.
A supportable finding from the supplied record requires:
  • Google Chrome as the product.
  • Android as the platform context.
  • A complete installed version earlier than 150.0.7871.47.
A Windows endpoint running Chrome does not satisfy that evidence test. Windows Chrome should remain current under the organization’s general browser-maintenance policy, but that standing requirement is separate from CVE-2026-13943. Opening or retaining a Windows vulnerability ticket for this CVE requires additional platform-specific evidence.
The distinction prevents two operational errors: wasting desktop-remediation effort on an unsupported match and overlooking the Android installations actually named by the record. Windows-centered organizations that also permit Android access should ensure the issue reaches whichever owner handles mobile browser maintenance, without broadening the technical claim to Windows.
A concise internal ticket can state:
CVE-2026-13943 affects Google Chrome on Android before version 150.0.7871.47. Chrome describes crafted HTML obtaining potentially sensitive information from browser-process memory. Update affected Android installations and verify the complete installed Chrome version. The supplied record does not establish that Chrome on Windows or other Chromium-derived browsers is affected.

Reporting Limits and Provenance​

The public record combines material from multiple contributors. Chrome supplied the core vulnerability description, Android product scope, affected range, and CWE-457 classification. CISA-ADP supplied the visible CVSS 3.1 score and SSVC values. NVD presents the record and affected-product configuration but does not provide its own visible CVSS assessment in the supplied material.
Reports should preserve those distinctions. The 6.5 Medium score should be called the CISA-ADP CVSS 3.1 assessment displayed by NVD, not simply an “NVD score.”
The previously asserted June 30, 2026 publication date is omitted because it is not sufficiently supported by the supplied material for this revision. An exact calendar date is unnecessary to apply the product, platform, and version boundary.
The current evidence supports saying that:
  • Crafted HTML is the documented malicious input.
  • CISA-ADP’s vector requires user interaction and no attacker privileges.
  • The modeled direct effect is high confidentiality impact.
  • Integrity and availability impact are scored as none.
  • CISA-ADP’s SSVC contribution records exploitation as none.
  • The restricted Chromium issue leaves the trigger and demonstrated exposed data unspecified.
  • No active campaign, public proof of concept, validated indicator, or complete exploit chain is identified in the supplied record.
It does not support telling users that every website can read their device, that credentials have been demonstrated as recoverable, or that an affected version proves a breach. Exposure and exploitation are separate findings.

Verify the Version and Watch for Changes​

CVE-2026-13943 has a specific, measurable response. Find Google Chrome installations on Android that are earlier than 150.0.7871.47, apply an available update through the supported application-update process, and verify the complete installed version afterward.
Chrome 150.0.7871.47 or later meets the published threshold and is outside the NVD-stated affected range. Unknown or lower versions remain unresolved. That conclusion should not be generalized to every Chromium browser or used to create Windows Chrome findings without additional evidence.
Future authoritative updates may disclose more about the restricted Chromium issue, revise the affected range, identify additional platforms, change the exploitation assessment, or provide product-specific guidance. Until then, the defensible course is prompt but precise: remediate the Android product named by the record, preserve the full version evidence, avoid unsupported compromise claims, and keep desktop findings out of scope unless new evidence establishes otherwise.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:41:21-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:41:21-07:00
    Original feed URL
  3. Related coverage: security.snyk.io
  4. Related coverage: chromium.org
 

Back
Top