CVE-2026-14096: Update Chrome Android to 150.0.7871.47

CVE-2026-14096 is a Google Chrome for Android information-disclosure flaw that can let an attacker with an already-compromised renderer leak cross-origin data through crafted HTML on versions earlier than 150.0.7871.47. Google labels the Chromium security severity Low, while CISA-ADP’s CVSS 3.1 assessment scores it 6.5 MEDIUM. That apparent contradiction is the story: this is not a stand-alone browser takeover, but it weakens a confidentiality boundary that matters after another exploit has already succeeded.
For ordinary users, the response is direct: update Chrome on Android and confirm that the installed version is 150.0.7871.47 or later. Security teams should treat the version check as the closing test rather than relying on an update notification, deployment command, or scanner status.

Illustration of Chrome’s security update, privacy protections, and cross-origin isolation shielding user data.Update and Verify Chrome on Android​

Android users should perform the update explicitly:
  1. Open Google Play Store.
  2. Tap the profile icon.
  3. Select Manage apps & device.
  4. Open Updates available. On some Play Store versions, this may appear as See details under the updates section.
  5. Find Google Chrome.
  6. Tap Update.
After installation, verify the installed version from Chrome:
  1. Open Chrome.
  2. Tap the three-dot menu (⋮).
  3. Select Settings.
  4. Select About Chrome.
  5. Confirm that the complete version is 150.0.7871.47 or later.
Menu labels can vary slightly by device manufacturer, Android release, Chrome build, and Google Play Store interface. The decisive result is not whether Google Play displayed an Update button or reported that an update completed. The decisive result is that Chrome reports version 150.0.7871.47 or later.
If Chrome still shows an earlier version, the installation remains within the published affected range. If the version cannot be determined, remediation has not been verified and the device should remain unresolved.
For managed fleets, administrators should collect fresh application-version inventory after remediation. An update assignment shows what the organization intended to install; the observed Chrome version shows what is actually installed.

Google’s Low Rating Describes the Prerequisite, Not the Value of the Data​

The National Vulnerability Database describes CVE-2026-14096 as an inappropriate implementation in Chrome’s Input component. The stated result is exposure of sensitive information to an unauthorized actor, and CISA-ADP maps the issue to CWE-200.
The component name is less informative than it may sound. The public record does not identify a particular input control, gesture, event path, form element, or Android subsystem. The associated Chromium issue is permission-restricted, so its contents cannot be used as a public basis for a more detailed explanation.
The available description does establish an important prerequisite: the attacker must already have compromised the renderer process. The attacker can then use crafted HTML to reach the vulnerable behavior and leak cross-origin data.
That prerequisite helps explain Chromium’s Low rating. CVE-2026-14096 is not described as the flaw that initially compromises the renderer. It is a capability that may become useful after the renderer has already been compromised.
The record does not say that this vulnerability independently provides arbitrary code execution, a sandbox escape, persistence, operating-system privileges, or complete control of an Android device. Reporting it as a stand-alone browser or device takeover would therefore exceed the supplied evidence.
At the same time, “Low” should not be translated into “irrelevant.” A post-compromise information-disclosure primitive can be valuable inside an exploit chain even when it is not independently sufficient to start that chain. The practical question is not only whether one vulnerability can complete an attack by itself, but also what security boundary it weakens after another stage succeeds.

A Renderer Compromise Is the Beginning of This Attack, Not Its Outcome​

The phrase “had compromised the renderer process” carries most of the threat-model context in the public description. It tells defenders that CVE-2026-14096 is a second-stage capability rather than the initial point of compromise.
An attacker would first need another vulnerability, technique, or existing foothold capable of producing control inside the renderer. The public record does not identify that first stage. It also does not document a complete exploit chain in which CVE-2026-14096 has been combined with another named vulnerability.
After obtaining the required renderer control, an attacker could attempt to use crafted HTML to trigger the inappropriate implementation. The documented consequence is a confidentiality breach involving cross-origin data.
CISA-ADP’s CVSS vector rates confidentiality impact High while assigning no integrity or availability impact. That is consistent with the narrow public description: information may be exposed, but the record does not say that data can be modified, services can be disrupted, or the device can be controlled through this flaw alone.
The exact exposed information is not identified. The record does not specify:
  • Which data types can be disclosed.
  • Which origins can be reached.
  • Whether every cross-origin resource is equally exposed.
  • Whether authentication material is involved.
  • Whether exploitation works consistently across Android devices.
  • What browser, endpoint, or network artifacts an attempt would leave behind.
  • Whether a practical exploit has been publicly demonstrated.
Those unknowns matter. Security teams should not convert the general cross-origin disclosure impact into unsupported claims about stolen credentials, session tokens, documents, email, or data from a named service.
The requirement for user interaction also appears in CISA-ADP’s CVSS vector. The vector records UI:R, and the description identifies crafted HTML as part of the attack. That supports describing attacker-controlled web content as part of the vulnerable interaction, but it does not provide enough information to reconstruct the precise delivery sequence or required user behavior.
This is also why the CVSS labels should not be read without the narrative prerequisite. A vector describing a network attack, low attack complexity, no required privileges, and required user interaction does not erase the vendor’s statement that the renderer must already be compromised. The numerical assessment models the scored vulnerability; it is not a substitute for the full vulnerability description.

Low, Medium, and Not Yet Scored Can All Be Accurate​

The record contains distinct assessments from different sources. They should not be flattened into a single unlabeled severity.
Assessment sourceFrameworkRating or scoreCorrect interpretation
ChromiumChromium security severityLowVendor severity reflecting the flaw’s position and prerequisite within Chrome’s security model
CISA-ADPCVSS 3.16.5 MEDIUMContributed standardized score emphasizing High confidentiality impact
NVDCVSS 4.0N/ANo separate NVD assessment in the supplied record
NVDCVSS 3.xN/ANo separate NVD assessment in the supplied record
NVDCVSS 2.0N/ANo separate NVD assessment in the supplied record
Chromium’s Low label can be understood in light of the already-compromised-renderer requirement. The vulnerability is less independently powerful than a defect that directly compromises a renderer, crosses a sandbox boundary, or produces a complete attack without a prior foothold.
CISA-ADP’s 6.5 MEDIUM score emphasizes the impact once the vulnerable stage is reachable. Its CVSS 3.1 vector records network accessibility, low attack complexity, no required privileges, required user interaction, unchanged scope, High confidentiality impact, and no integrity or availability impact.
The assessments are not interchangeable, but they are not necessarily contradictory. One emphasizes where the defect sits in an exploit chain; the other applies a standardized impact and exploitability model to the vulnerability.
The 6.5 score should be described as CISA-ADP’s CVSS 3.1 score displayed in the NVD record, not simply as “NVD’s score.” NVD presents the contributed metric, but the supplied record does not show a separate NVD-authored CVSS assessment.
This attribution matters in vulnerability-management systems. A feed may display MEDIUM without preserving that Chromium rated the issue Low, or it may label the CVE unscored because it looks only for an NVD-authored value. Internal tickets should preserve the source alongside the score.
The operational conclusion is straightforward: update promptly, but do not treat the 6.5 score as evidence of a stand-alone attack, a complete Android compromise, or active exploitation.

The Affected Scope Is Chrome on Android, Not Every Chrome Installation​

CVE-2026-14096 is recorded as affecting Google Chrome on Android before version 150.0.7871.47. The affected condition combines three elements:
  • Product: Google Chrome.
  • Platform: Android.
  • Version: Earlier than 150.0.7871.47.
Dropping any one of those elements can create inaccurate vulnerability findings.
The record does not establish that desktop Chrome on Windows, macOS, Linux, or ChromeOS is affected. It also does not identify Microsoft Edge, Android WebView, Android itself, or every Chromium-based browser as affected products.
Shared Chromium ancestry is not sufficient evidence to assign this CVE to another browser. Another vendor may use some of the same upstream code, but applicability requires a product-specific advisory, affected-version declaration, or other authoritative evidence.
The correct scope handling is therefore deliberately narrow:
Detected softwarePublished status for this CVEAdministrative response
Chrome on Android below 150.0.7871.47AffectedUpdate and verify
Chrome on Android at 150.0.7871.47 or laterOutside the published affected rangeRecord the verified version
Desktop ChromeNot established as affectedDo not create a finding from this Android record alone
Microsoft EdgeNot established as affectedAwait an Edge-specific determination
Android WebViewNot established as affectedEvaluate independently
Other Chromium-based Android browsersNot established as affectedFollow the applicable browser vendor
This distinction is especially useful for Windows administrators because scanner matching frequently overemphasizes the product name and version while hiding the platform condition. A finding that says only “Chrome below 150.0.7871.47” may incorrectly route Android remediation to a Windows desktop team.
A valid match should demonstrate the complete affected combination: Google Chrome, Android, and a version earlier than 150.0.7871.47. Unsupported desktop findings should be excluded with the platform evidence documented, while genuine Android findings should be routed to the team responsible for mobile applications or device compliance.
Scope discipline prevents both wasted work and false reassurance. Broadening the CVE can generate irrelevant desktop tickets, while burying the genuinely affected Android devices inside those false positives.

“Input” Is a Component Name, Not an Exploit Explanation​

Security advisories often name an internal component without providing the implementation details needed to explain the defect. “Input” may suggest forms, touch interactions, event handling, keyboard processing, focus behavior, or another internal path, but the public record does not identify which interpretation is correct.
“Inappropriate implementation” is similarly broad. It states that the component behaved incorrectly from a security perspective, but it does not establish a memory-safety error, authorization failure, race condition, object-lifetime problem, parser defect, or specific validation omission.
The permission-restricted Chromium issue may contain additional engineering context, but the only supported public conclusion is that access is restricted. The supplied material does not establish why Google restricted it, how long the restriction will remain, or what disclosure policy applies.
That limitation should narrow the article rather than invite speculation. There is no public basis in the reviewed record for:
  • Naming a particular HTML element as the trigger.
  • Describing a specific touch, keyboard, or gesture sequence.
  • Presenting exploit code or a proof of concept.
  • Claiming that a particular Chrome process arrangement causes the flaw.
  • Characterizing it as a complete Site Isolation bypass.
  • Describing Android as using a particular isolation architecture for purposes of this CVE.
  • Identifying a reliable detection signature.
The verified facts are sufficient for remediation: Chrome on Android is affected below 150.0.7871.47; an already-compromised renderer and crafted HTML are required; and the stated result is cross-origin information disclosure.
The absence of implementation detail does not prove that the vulnerability is secretly more severe. It means defenders have a version-based control but do not have enough public evidence to build a CVE-specific behavioral detection with confidence.

CISA-ADP Records Exploitation as “None”​

CISA-ADP’s SSVC entry records exploitation as “none.” That field should be repeated with its attribution and without turning it into a broader claim that no exploitation exists anywhere.
The SSVC contribution also records:
  • Automatable: No.
  • Technical impact: Partial.
These are assessment categories, not a substitute for technical evidence.
“Exploitation: none” means the CISA-ADP entry contains that selection. It does not prove that private experimentation has never occurred, guarantee that exploitation will not appear later, or establish a permanent real-world status.
“Automatable: no” should likewise remain a narrow attribution. It does not establish exactly which stages of an attack could be automated, how a malicious page could be distributed, or how reliably an attacker could exploit a vulnerable device.
“Technical impact: partial” is consistent with a bounded confidentiality consequence rather than complete control of the browser or device. It should not be expanded into an unsupported statement about the precise records, accounts, or resources that could be exposed.
The practical posture remains proportional: update affected installations and verify the corrected version without describing CVE-2026-14096 as an actively exploited zero-day or a complete Android takeover.

The Record Was Enriched in Stages​

The vulnerability record brings together material supplied and categorized by different organizations. The exact source of each field matters more than attaching an unsupported calendar date or timestamp to every change.

Timeline​

Chrome-originated disclosure: Chrome supplied the core vulnerability description, product scope, affected-version boundary, vendor severity, and associated references.
CISA-ADP enrichment: CISA-ADP contributed the CVSS 3.1 vector and 6.5 MEDIUM score, the CWE-200 classification, and the SSVC selections for exploitation, automation, and technical impact.
NVD and NIST presentation: The NVD record presented the supplied information and affected configuration. In the reviewed material, NVD had not provided a separate CVSS assessment of its own.
Remediation threshold: Chrome for Android 150.0.7871.47 defines the boundary outside the published affected range.
This staged structure explains why two security tools may display different summaries. One may emphasize Chromium’s Low severity, another may ingest CISA-ADP’s 6.5 MEDIUM score, and a third may report that an NVD-authored score is unavailable.
Those differences do not establish separate vulnerabilities or separate technical outcomes. They show why vulnerability data should retain provenance instead of reducing every field to “NVD says.”

Version 150.0.7871.47 Is the Closing Test​

The affected range excludes version 150.0.7871.47. Chrome on Android installations earlier than that release are affected; installations at that version or later are outside the published vulnerable range.
Administrators should compare the complete four-part version. A result such as “Chrome 150” is insufficient because builds within the same major release can fall on opposite sides of the security boundary.
Reported Chrome versionStatusRequired action
Earlier than 150.0.7871.47Within the affected rangeUpdate and verify again
Exactly 150.0.7871.47Meets the published thresholdRecord the verified result
Later than 150.0.7871.47Outside the affected rangeRecord the verified result
“Chrome 150” without the complete buildInsufficient evidenceCollect the full version
Missing, stale, or conflicting versionUnknownKeep the finding open
Version components should be compared numerically and in sequence: 150, then 0, then 7871, then 47. The version is not a decimal number, and matching only the major version is not adequate compliance evidence.
The public record does not establish a CVE-specific cause for an update that is unavailable or fails to install. Troubleshooting should follow current support guidance from Google, the device manufacturer, the application distributor, or the organization’s management-platform vendor rather than attributing the problem to speculative storage, network, account, enrollment, or rollout conditions.
Similarly, the record does not support claiming that a relaunch is required for this remediation. The reliable test is the installed version shown by Chrome or by a trustworthy application-inventory source.

Action checklist for administrators​

  • Inventory Google Chrome installations on managed Android devices.
  • Collect the complete four-part installed version.
  • Flag every Chrome-on-Android installation below 150.0.7871.47.
  • Treat missing, stale, truncated, or conflicting version data as unresolved.
  • Direct affected users through Google Play Store > profile icon > Manage apps & device > Updates available > Chrome > Update.
  • After the update, direct users to Chrome > ⋮ > Settings > About Chrome.
  • Close the finding only when Chrome reports 150.0.7871.47 or later.
  • Record devices whose corrected version cannot be verified and assign an owner and next action.
  • Preserve the assessment source in internal reporting: Chromium rates the issue Low, while CISA-ADP contributes the 6.5 MEDIUM score.
  • Do not label the 6.5 value as an independently calculated NVD score.
  • Do not mark desktop Chrome, Microsoft Edge, Android WebView, other Chromium browsers, or Android generally as affected without separate authoritative evidence.
  • Continue monitoring authoritative vulnerability information for changes to affected scope, technical detail, or exploitation status.
A useful remediation record can include the device identifier, Android platform, complete Chrome version, time of observation, remediation action, post-remediation version, and owner of any unresolved exception. This is an evidence checklist, not a claim that every device-management product automatically collects each field.

Version Verification Is More Reliable Than Exploit Hunting Here​

The public material does not provide indicators of compromise, malicious domains, exploit signatures, crash patterns, or confirmed post-exploitation artifacts. It therefore does not support a CVE-specific detection rule that can reliably determine whether an Android device encountered an exploit attempt.
Organizations may still review their normal browser, endpoint, identity, and network telemetry as part of broader security operations. Those activities should not be described as vendor-documented detection methods for CVE-2026-14096.
The strongest available control is preventive and measurable:
  1. Identify Chrome on Android.
  2. Determine the complete installed version.
  3. Update installations below 150.0.7871.47.
  4. Collect fresh version evidence.
  5. Keep unknown or lower versions open until resolved.
The record also does not prescribe a specific mobile-device-management platform, deployment policy, access restriction, exception process, or compensating control. Organizations may use their existing management capabilities, but those local procedures should not be presented as CVE-specific guidance from Google, CISA-ADP, NVD, or NIST.

Exploit-Chain Utility Explains the Severity Gap​

CVE-2026-14096 illustrates why the severity of an isolated defect is not always the same as its usefulness inside a larger attack.
As an entry point, the vulnerability is limited by a significant prerequisite: the renderer must already be compromised. That supports Chromium’s Low severity.
Once that prerequisite is met, however, the flaw may expose cross-origin information that the hostile renderer should not receive. CISA-ADP’s CVSS calculation gives that confidentiality consequence substantial weight, resulting in a 6.5 MEDIUM score.
No complete chain is documented in the supplied record. Defenders should not invent a first-stage renderer vulnerability, claim a sandbox escape, or state that the flaw has been paired with another CVE. The supported insight is structural rather than campaign-specific: a vulnerability can be weak as an initial entry point while remaining useful as a post-compromise capability.
That is also why patching remains justified without emergency rhetoric. Removing one link from a possible chain reduces an attacker’s options, and the remediation has an objective success condition.

The Practical Read for WindowsForum Administrators​

Despite the Chrome product name, this is not a published Windows Chrome finding. Windows administrators may still encounter it because vulnerability platforms, asset databases, and support workflows often normalize software records without retaining the operating-system condition.
When a Windows Chrome device is matched to CVE-2026-14096, inspect the evidence before opening a remediation ticket. A correct match needs to establish Android as the platform. The version threshold should not be copied to desktop Chrome, Edge, or every Chromium product.
When a genuine Android match is found, the response is uncomplicated: update Chrome and verify the result. Do not close the item because an update was approved, assigned, offered, or reported as downloaded. Close it when trustworthy evidence shows Chrome 150.0.7871.47 or later.
CVE-2026-14096 is therefore a useful test of both patch management and vulnerability-data discipline. Teams need to preserve the product, platform, version range, assessment source, and exploit prerequisite rather than compressing the record into “Chrome, Medium.”
The forward-looking lesson extends beyond this one disclosure. Browser security programs need dependable application inventory as much as rapid update delivery. Deployment status records intent; installed-version evidence records outcome. For CVE-2026-14096, the outcome is measurable: Chrome on Android below 150.0.7871.47 remains within the published affected range, while 150.0.7871.47 or later crosses the remediation threshold. Update the affected application, verify the complete version, keep unknown devices visible, and avoid broadening the CVE beyond the scope the record actually establishes.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:41:33-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:41:33-07:00
    Original feed URL
  3. Related coverage: chromium.org
  4. Related coverage: issues.chromium.org
  5. Related coverage: blog.chromium.org
 

Back
Top