CVE-2026-14114: Update Chrome Android to 150.0.7871.47

Answer
  • Affected: Google Chrome on Android earlier than 150.0.7871.47
  • Fix: Update Chrome on Android to 150.0.7871.47 or later
  • Desktop Chrome: Windows, macOS, and Linux editions are not identified as affected
  • Exploitation: The CISA-ADP SSVC assessment recorded none as of July 1, 2026
  • Operational verdict: Use accelerated routine mobile-app patching. The record does not establish a desktop Chrome emergency or confirmed active exploitation.
Google has disclosed CVE-2026-14114, a Chrome for Android vulnerability in the WebAppInstalls component that can allow a local attacker to spoof security-relevant interface information through a malicious file. Chrome identifies the issue as Low severity, but CISA-ADP assigns it a 7.5 HIGH CVSS 3.1 score.
The immediate action is straightforward:
  1. On the Android device, open Google Play Store > profile icon > Manage apps & device > Updates available > Google Chrome > Update.
  2. Open Chrome > ⋮ > Settings > About Chrome and confirm that the installed version is 150.0.7871.47 or later.
That version check matters because the verified affected range is platform-specific: Chrome on Android before 150.0.7871.47. The available record does not identify desktop Chrome on Windows, macOS, or Linux as affected by this CVE.

A smartphone shows Chrome is up to date beside an Android security checklist and protected laptop.A Low-Rated Chrome Bug With a High-Scoring Identity Crisis​

Chrome describes CVE-2026-14114 as an inappropriate implementation in WebAppInstalls that permitted a local attacker to perform UI spoofing through a malicious file. The affected product is Google Chrome on Android, and the vulnerable range ends immediately before version 150.0.7871.47.
The distinctive part of the record is the disagreement between two severity signals:
  • Chromium security severity: Low
  • CISA-ADP CVSS 3.1 base score: 7.5 HIGH
CISA-ADP supplied the vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
That vector represents a network attack vector, low attack complexity, no required privileges, no user interaction, unchanged scope, no confidentiality impact, High integrity impact, and no availability impact.
NVD displays that contributed score but has not supplied its own CVSS 3.x assessment. It also shows no NVD assessment under CVSS 4.0 or CVSS 2.0. The 7.5 displayed in the record should therefore be attributed specifically to CISA-ADP rather than presented as an independent NVD conclusion.
WindowsForum’s recommendation is to preserve both signals during triage. The Low vendor rating should not be used to dismiss an available browser security update, while the contributed 7.5 score should not be translated automatically into claims of remote compromise, desktop exposure, or active exploitation.
The operational result is an accelerated routine update for Chrome on Android, not an emergency response across every system running a product named Google Chrome.
Public-record limitations
  • The referenced Chromium issue requires permission.
  • Public exploit mechanics and reproduction steps are unavailable.
  • The supplied CISA-ADP SSVC record identified no known exploitation as of July 1, 2026.
Claims about the exact visual elements that can be spoofed, the malicious file’s format, or the complete attack sequence would go beyond the accessible record.

UI Spoofing Is the Verified Security Effect​

CVE-2026-14114 maps to CWE-451, User Interface Misrepresentation of Critical Information. The verified security effect is UI spoofing: a malicious file can trigger an implementation flaw that causes Chrome for Android to present misleading security-relevant interface information.
This is not described as arbitrary code execution, a sandbox escape, an information-disclosure flaw, or a denial-of-service condition. No public record for this CVE establishes that the attacker receives new Android permissions, executes native code, reads protected browser data, or gains control of the device.
That narrower scope should shape reporting. Defenders can state that the flaw affects the integrity of information shown through the vulnerable interface path. They should avoid reconstructing an undocumented phishing campaign or attributing additional technical capabilities to the flaw.
The CWE classification and the CISA-ADP vector both focus attention on integrity. CISA-ADP marks confidentiality and availability impact as None while assigning integrity impact as High. An analytical reading is that the contributed score treats the misleading representation of security-relevant information as potentially consequential.
That is a scoring interpretation, not a public demonstration of a complete attack. Without access to the restricted Chromium issue, the record does not show how broad the spoof can be, what interface fields are affected, or what conditions are required after the malicious file is delivered.
The fixed version remains more concrete than speculation about those missing details. Chrome on Android should be brought to 150.0.7871.47 or later.

The Public Vector Does Not Align Neatly With the Description​

The central analytical question is how to reconcile Chrome’s description with the CISA-ADP CVSS vector.
Chrome describes a local attacker using a malicious file. CISA-ADP records AV:N, indicating a network attack vector, and UI:N, indicating that its calculation does not require user interaction.
Those statements are not necessarily impossible to reconcile, but the accessible material does not explain the relationship. A file might be delivered over a network and later exist locally, for example, but that is only a possible interpretation. It should not be reported as the documented CVE-2026-14114 attack chain.
The UI:N value also deserves careful wording. Because the weakness concerns interface spoofing, it may be tempting to argue that a user must see or act on the misleading information. The restricted issue may contain context that informed CISA-ADP’s selection, but the public record does not provide enough detail to resolve that question.
WindowsForum therefore recommends treating the 7.5 score as a meaningful contributed assessment while avoiding unsupported translations such as:
  • “An attacker can compromise Chrome remotely without the user doing anything.”
  • “Simply receiving a file compromises the Android device.”
  • “The flaw provides remote code execution.”
  • “The attacker can install an application automatically.”
  • “All products using Chrome version numbers below the threshold are vulnerable.”
None of those conclusions follows from the available description.
The score can still support prompt patching. It cannot substitute for exploit mechanics that have not been published.

Android Is the Target, Not Desktop Chrome​

The affected-product boundary is explicit: Google Chrome on Android before 150.0.7871.47. NIST’s affected configuration combines Chrome below that version boundary with the Android operating system.
Platform or versionCVE record statusOperational interpretation
Chrome on Android before 150.0.7871.47AffectedUpdate required
Chrome on Android 150.0.7871.47Fixed-version thresholdMeets the stated remediation boundary
Chrome on Android later than 150.0.7871.47Outside the identified vulnerable rangeConfirm the installed version
Chrome on WindowsNot identified as affectedDo not infer exposure from the Chrome name or version alone
Chrome on macOSNot identified as affectedDo not infer exposure from the referenced release family
Chrome on LinuxNot identified as affectedThe CVE description is Android-specific
NVD includes a Chrome release-post URL among the references and classifies it as Chrome release notes and a vendor advisory. NVD also references the permission-restricted Chromium issue.
Those reference classifications establish that the pages are associated with the record. They do not, by themselves, establish additional claims about desktop build numbers, the contents of the release announcement, or Google’s policy for restricting bug details.
Most importantly, the presence of a desktop release-post reference does not broaden the CVE’s affected-product statement. The public description and NIST configuration identify Chrome running on Android.
For WindowsForum readers, the practical distinction is simple: a security alert may be viewed from a Windows PC, appear in a Windows-oriented administration workflow, or mention the Google Chrome product family, but CVE-2026-14114 is not documented as a Windows Chrome vulnerability.
A scanner result for desktop Chrome should be reviewed for platform context before it is accepted as a valid finding. Matching only the product name and numerical version boundary can produce an incorrect conclusion if the Android requirement is omitted.

The Restricted Issue Sets a Clear Reporting Boundary​

The Chromium issue referenced by the CVE requires permission. That restriction leaves the public record without detailed reproduction instructions, implementation analysis, or a confirmed end-to-end exploit path.
Responsible reporting should remain within what Chrome, CISA-ADP, and NIST have recorded:
  • The vulnerable component is WebAppInstalls.
  • The affected product is Google Chrome on Android.
  • Versions before 150.0.7871.47 are affected.
  • A local attacker can use a malicious file to perform UI spoofing.
  • Chromium rates the issue Low.
  • CISA-ADP assigns a 7.5 HIGH CVSS 3.1 score.
  • CISA-ADP maps the issue to CWE-451.
  • The CISA-ADP SSVC assessment records exploitation as none, automatable as yes, and technical impact as partial.
  • The referenced Chromium issue is permission-restricted.
That is enough information to support a concrete update decision. It is not enough to identify the precise file structure, list every spoofable element, prescribe a special enterprise policy, or publish a reliable detection signature.
The appropriate mitigation is therefore version-based. Update Chrome on Android and verify that the installed application has reached the fixed threshold.

CISA-ADP Records No Known Exploitation​

CISA-ADP added an SSVC 2.0.3 assessment with CISA Coordinator as the role. Its options are:
  • Exploitation: none
  • Automatable: yes
  • Technical impact: partial
The exploitation field is the most important one for distinguishing patch urgency from incident-response urgency. As of the SSVC timestamp on July 1, 2026, the assessment did not identify exploitation.
This is not a permanent guarantee. Exploitation status can change as new information appears. It does, however, mean that the supplied record does not support describing CVE-2026-14114 as an actively exploited zero-day.
“Automatable: yes” is an assessor-supplied judgment. The public CVE description does not contain sufficient mechanics to explain how the attack would be automated or scaled. Administrators can preserve the SSVC value in their records without inventing the missing operational details.
“Technical impact: partial” is consistent with treating the immediate effect as constrained rather than a total loss of system security. It should not be expanded into a claim about specific data, accounts, applications, or device functions.
Taken together, the SSVC record supports prompt remediation without suggesting that every affected device must be isolated or investigated as a suspected compromise.

Patch the Mobile Application and Verify the Result​

Remediation should focus on the installed Chrome application version on Android. The Android operating-system patch level is not the version boundary named in this CVE.

Two-step user procedure​

  1. Open Google Play Store, select the profile icon, and go to Manage apps & device > Updates available > Google Chrome > Update.
  2. Open Chrome, select ⋮ > Settings > About Chrome, and verify that the version is 150.0.7871.47 or later.
If the Play Store offers a version later than 150.0.7871.47, install the later version. The CVE defines a minimum fixed threshold, not a requirement to remain on that exact build.
Users should not be told to uninstall Chrome, clear all browsing data, reset the Android device, remove every installed web app, or reinstall the operating system solely because of this CVE. Those actions are not established as required remediation in the available record.

Action checklist for admins​

  • Inventory Chrome versions specifically on Android where verified version data is available.
  • Identify Chrome on Android installations earlier than 150.0.7871.47.
  • Direct users to install the current Google Chrome update from Google Play.
  • Verify the installed Chrome version after the update.
  • Preserve the Android platform requirement in vulnerability tickets and reports.
  • Review desktop detections that match only the product name and version number.
  • Do not classify Windows, macOS, or Linux Chrome installations as affected without separate vendor evidence.
  • Record Chromium’s Low severity and the CISA-ADP 7.5 HIGH score together.
  • Attribute the 7.5 vector to CISA-ADP rather than NVD.
  • Record that the supplied SSVC assessment listed exploitation as none on July 1, 2026.
  • Avoid unsupported claims about the malicious file, spoofed interface elements, or attack sequence.
  • Reassess the finding if Chrome publishes additional technical details or exploitation information.

Timeline​

June 30, 2026 — Chrome CVE record received: Chrome identified an inappropriate implementation in WebAppInstalls affecting Chrome on Android before 150.0.7871.47. The description states that a local attacker could perform UI spoofing through a malicious file and labels the Chromium security severity Low.
June 30, 2026 — NVD publication: NVD published CVE-2026-14114 with Chrome as the source and included the Chrome release-post URL and restricted Chromium issue as references.
July 1, 2026 — CISA-ADP enrichment: CISA-ADP added the 7.5 HIGH CVSS 3.1 vector, CWE-451 classification, and SSVC 2.0.3 assessment. The SSVC options recorded exploitation as none, automatable as yes, and technical impact as partial.
July 6, 2026 — NIST initial analysis: NIST added an affected configuration joining Chrome versions below 150.0.7871.47 with Android. It also classified the Chrome URL as release notes and a vendor advisory and classified the Chromium issue as requiring permission.

Scanner Severity Is Not the Same as Operational Priority​

CVE-2026-14114 demonstrates why a single severity field cannot carry an entire patch decision.
A workflow based only on the CISA-ADP score may place the issue in an emergency queue because 7.5 falls in the CVSS 3.1 High range. A workflow based only on Chromium’s Low rating may postpone the update unnecessarily. Neither approach preserves the complete record.
The relevant factors are:
Triage factorVerified status
Affected platformChrome on Android
Vulnerable rangeEarlier than 150.0.7871.47
Fixed threshold150.0.7871.47
Documented effectUI spoofing through a malicious file
Chromium severityLow
CISA-ADP score7.5 HIGH
NVD CVSS assessmentNot provided
Known exploitation in supplied SSVC recordNone as of July 1, 2026
SSVC automatable valueYes
SSVC technical impactPartial
Public exploit mechanicsUnavailable
Desktop Chrome affectedNot identified
WindowsForum’s operational recommendation is accelerated routine mobile-app patching. Organizations should move affected Android browsers across the fixed boundary promptly and verify completion, but the supplied evidence does not justify treating the event as a confirmed compromise campaign.
This recommendation is an editorial risk judgment, not an additional vendor severity rating. It balances an available fix and a contributed High score against the Android-only scope, Low Chromium rating, partial SSVC technical impact, restricted exploit details, and absence of known exploitation in the supplied SSVC record.
If internal policy automatically escalates every CVSS score of 7.0 or higher, the ticket should document that:
  1. The 7.5 score was contributed by CISA-ADP.
  2. NVD had not supplied its own CVSS assessment.
  3. Chromium assigned Low severity.
  4. Chrome described a local attacker using a malicious file.
  5. The SSVC record listed exploitation as none.
  6. The documented product scope is Chrome on Android.
  7. The fixed version threshold is available and directly verifiable.
That is not an attempt to override the score. It is the context needed to translate severity metadata into an appropriate response.

What Defenders Should Carry Forward​

The immediate remedy is simple, but the record shows why browser vulnerability triage must preserve platform, source, and assessment context.
  • CVE-2026-14114 affects Google Chrome on Android before 150.0.7871.47.
  • The fix is to update Chrome on Android to 150.0.7871.47 or later.
  • Users should update through Google Play Store > profile icon > Manage apps & device > Updates available > Google Chrome > Update.
  • Users should verify the result through Chrome > ⋮ > Settings > About Chrome.
  • Chrome describes the effect as UI spoofing through a malicious file in WebAppInstalls.
  • Chromium assigns a Low security severity.
  • CISA-ADP assigns a 7.5 HIGH CVSS 3.1 score.
  • NVD displays the CISA-ADP score but does not provide its own CVSS assessment.
  • The CISA-ADP vector assigns High integrity impact and no confidentiality or availability impact.
  • The public description and vector leave unresolved questions about the recorded network attack vector and lack of required user interaction.
  • The restricted Chromium issue prevents a reliable public reconstruction of the exploit.
  • The supplied SSVC assessment recorded no known exploitation as of July 1, 2026.
  • Windows, macOS, and Linux Chrome are not identified as affected.
  • A desktop release-post reference does not override the Android-specific product scope.
  • Scanner findings must retain the operating-system condition rather than matching only “Google Chrome” and a version number.
  • The proportionate response is accelerated routine patching of Chrome on Android, not an unsupported declaration of a desktop Chrome emergency or active exploitation.
The score mismatch remains the most important lesson. Chromium’s Low label and CISA-ADP’s 7.5 HIGH assessment are not interchangeable, and neither should erase the verified facts underneath them. Defenders have a precise affected platform, a precise version boundary, a direct update procedure, and a clear way to confirm remediation.
Patch the Android application, verify version 150.0.7871.47 or later, preserve the score’s attribution, and keep future escalation tied to new evidence rather than assumptions filling the gaps left by a restricted bug report.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:41:35-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:41:35-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: security.snyk.io
 

Back
Top