Google Chrome on Android versions earlier than 150.0.7871.47 are affected by CVE-2026-13868, a medium-severity flaw that the supplied National Vulnerability Database record describes as an inappropriate implementation in Chrome’s Network component. According to that record, a remote attacker who had already compromised a renderer could use crafted HTML to bypass site isolation. Android users should update Chrome to version 150.0.7871.47 or later and verify the complete installed version.
The public description is narrow. The supplied NVD record says CVE-2026-13868 affects Google Chrome on Android before 150.0.7871.47. It describes a remote attacker using crafted HTML to bypass site isolation after first compromising a renderer.
The renderer-compromise prerequisite is essential. CVE-2026-13868 is not described as the vulnerability that initially compromises the renderer. The record establishes a post-renderer-compromise site-isolation bypass, not a standalone path from an otherwise ordinary webpage to complete control of Chrome or the Android device.
The disclosed scenario can be summarized as follows:
It also does not establish any of the following outcomes:
CISA-ADP assigned the weakness classification CWE-346, Origin Validation Error, as shown in the supplied NVD record. That classification should be reported as assigned rather than expanded into an unsupported explanation of the specific validation failure. The public description does not identify the exact origin value involved, the relevant comparison or trust decision, or the practical access produced after successful exploitation.
Likewise, the record’s reference to site isolation does not provide a general technical specification for that feature. It does not document Chrome’s process architecture, Android’s isolation strategy, device-memory tradeoffs, hardened-mode availability, or which categories of information site isolation protects. Those broader architectural claims require separate authoritative documentation and are not necessary to apply the update.
The defensible conclusion is therefore precise: CVE-2026-13868 is a site-isolation bypass in Chrome on Android that requires a previously compromised renderer and crafted HTML. Versions below 150.0.7871.47 are affected. The supplied record does not establish a broader platform scope or a complete device-compromise scenario.
The supplied record had not provided a separate NVD-authored CVSS 4.0, CVSS 3.x, or CVSS 2.0 assessment. Accurate reporting should therefore attribute the displayed 6.5 score to CISA-ADP rather than calling it an NVD calculation.
The vector supports describing the vulnerability as network-accessible and low in attack complexity under the CVSS model, with no privileges required and user interaction required. Those values should not be translated into a more specific attack procedure than the record provides.
In particular, “user interaction required” does not by itself establish a single-click scenario. “Low attack complexity” is a CVSS metric and does not remove the separately documented prerequisite that the renderer must already have been compromised.
The CVSS vector scores high integrity impact but no confidentiality or availability impact. That should be reported as written. The article should not replace the recorded impact values with assumptions about cross-site reading, credential theft, arbitrary data disclosure, browser crashes, or device availability. Any explanation for why the vector was scored that way would be analysis unless supported by additional authoritative information.
CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution records:
“Automatable: no” should also be left within its recorded scope. It does not establish that malicious content cannot be distributed broadly, and it does not provide an exploit-complexity analysis beyond the SSVC selection itself.
“Technical impact: partial” is consistent with keeping the reported outcome narrower than complete browser or device compromise. It does not define the exact actions available after the site-isolation bypass.
Taken together, the assessments support prompt, calm remediation. The supplied evidence identifies an affected version range and a corrected threshold, but it does not establish an active campaign, a complete attack chain, or compromise of every device running an affected version.
Users and support teams should compare the complete four-part version. A result that shows only “Chrome 150” is insufficient because it does not establish whether the installation is below or at the fixed build.
The supplied NVD record supports version-based remediation but does not document an alternative configuration workaround. Clearing browsing data, closing tabs, using incognito mode, changing site permissions, or restarting the phone should not be presented as substitutes for installing a corrected Chrome version.
The record also does not establish that disabling JavaScript, changing isolation settings, or enabling another browser option prevents exploitation. Administrators should not substitute an inferred workaround for the explicit version threshold.
The supplied NVD record does not prescribe a mobile-device-management product, deployment channel, inventory agent, update policy, or enforcement design. Organizations should use the capabilities documented for their own management platforms rather than assuming that every platform can remotely update Chrome, force a relaunch, or block an application according to its four-part version.
A defensible enterprise process has four stages:
That recommendation is intentionally conditional. The NVD record does not establish that a particular Microsoft, Google, or third-party platform can enforce a Chrome build threshold. Teams must confirm what their own products support before creating an access rule.
Where version-aware enforcement is unavailable, the immediate task remains inventory, user notification, supported remediation, and post-update verification. The article should not claim that conditional access, application-protection rules, session settings, or privileged-session architecture will compensate for the vulnerability without product-specific evidence.
CISA-ADP assessment: CISA-ADP contributed the CVSS 3.1 vector and 6.5 Medium score, the CWE-346 Origin Validation Error classification, and the SSVC selections.
NVD and NIST presentation: The supplied NVD record presented the contributed vulnerability information, assessments, references, and affected-product configuration. NVD had not supplied its own CVSS assessment in that record.
This sequence is useful for attribution. A score or classification displayed on an NVD page is not necessarily calculated by NVD. For CVE-2026-13868, the 6.5 CVSS score, vector, CWE assignment, and SSVC values should remain attributed to CISA-ADP.
Specific claims involving June 30, July 1, or July 6, 2026, have been omitted because they are not needed to identify affected devices or apply the update and should not be treated as disclosure, release, enrichment, or rollout dates without confirmed source-level support.
The same caution applies to Android WebView and other browsers. Shared components, Chromium ancestry, similar feature names, or overlapping browser behavior do not prove that another product contains the vulnerable implementation or uses Chrome’s corrected version number.
Administrators should therefore:
The response is direct: open Chrome’s three-dot menu > Settings > About Chrome, verify the full version, and use the Google Play Store to update if it is below 150.0.7871.47. Enterprises should inventory managed Android Chrome installations, remediate lower versions, and require the corrected threshold for sensitive browser-based work where their management platform supports that control.
Patch Chrome on Android, verify 150.0.7871.47 or later, and keep every lower or unknown result open until it is resolved.
Who is affected / what to do
Affected: Google Chrome on Android below 150.0.7871.47, according to the supplied NVD affected-product information.
Required action: Update Chrome to 150.0.7871.47 or later and verify the complete version after the update.
Not established by this record: The supplied NVD information does not establish exposure for Chrome on Windows, macOS, Linux, ChromeOS, Android WebView, or other browsers. Those products and platforms should not be marked affected by assumption.
What CVE-2026-13868 Does—and Does Not Establish
The public description is narrow. The supplied NVD record says CVE-2026-13868 affects Google Chrome on Android before 150.0.7871.47. It describes a remote attacker using crafted HTML to bypass site isolation after first compromising a renderer.The renderer-compromise prerequisite is essential. CVE-2026-13868 is not described as the vulnerability that initially compromises the renderer. The record establishes a post-renderer-compromise site-isolation bypass, not a standalone path from an otherwise ordinary webpage to complete control of Chrome or the Android device.
The disclosed scenario can be summarized as follows:
- A Chrome renderer has already been compromised through some separate means not identified in this CVE.
- The attacker uses crafted HTML.
- The vulnerable Network implementation permits a site-isolation bypass.
It also does not establish any of the following outcomes:
- A complete remote-code-execution exploit.
- A one-step or “one-click” compromise.
- A Chrome sandbox escape.
- Android operating-system takeover.
- Administrator or root privileges.
- Arbitrary-file access.
- Persistence on the device.
- A demonstrated capability to read data from another site.
- A demonstrated compromise of accounts, sessions, credentials, or cloud services.
- Exposure of Chrome on desktop operating systems, ChromeOS, WebView, or other browsers.
CISA-ADP assigned the weakness classification CWE-346, Origin Validation Error, as shown in the supplied NVD record. That classification should be reported as assigned rather than expanded into an unsupported explanation of the specific validation failure. The public description does not identify the exact origin value involved, the relevant comparison or trust decision, or the practical access produced after successful exploitation.
Likewise, the record’s reference to site isolation does not provide a general technical specification for that feature. It does not document Chrome’s process architecture, Android’s isolation strategy, device-memory tradeoffs, hardened-mode availability, or which categories of information site isolation protects. Those broader architectural claims require separate authoritative documentation and are not necessary to apply the update.
The defensible conclusion is therefore precise: CVE-2026-13868 is a site-isolation bypass in Chrome on Android that requires a previously compromised renderer and crafted HTML. Versions below 150.0.7871.47 are affected. The supplied record does not establish a broader platform scope or a complete device-compromise scenario.
CVSS and SSVC Status
CISA-ADP contributed a CVSS 3.1 base score of 6.5 Medium for CVE-2026-13868, according to the assessment displayed in the supplied NVD record. The corresponding vector is:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NThe supplied record had not provided a separate NVD-authored CVSS 4.0, CVSS 3.x, or CVSS 2.0 assessment. Accurate reporting should therefore attribute the displayed 6.5 score to CISA-ADP rather than calling it an NVD calculation.
| Assessment element | Recorded result | What the supplied NVD record supports |
|---|---|---|
| Chrome severity | Medium | Chrome categorized the vulnerability as Medium |
| CISA-ADP CVSS 3.1 | 6.5 Medium | CISA-ADP contributed the displayed score |
| Attack vector | Network | The CVSS vector records AV:N |
| Attack complexity | Low | The CVSS vector records AC:L |
| Privileges required | None | The CVSS vector records PR:N |
| User interaction | Required | The CVSS vector records UI:R |
| Scope | Unchanged | The CVSS vector records S:U |
| Confidentiality impact | None | The CVSS vector records C:N |
| Integrity impact | High | The CVSS vector records I:H |
| Availability impact | None | The CVSS vector records A:N |
| NVD-authored CVSS | Not provided | NVD had not supplied its own assessment in the supplied record |
In particular, “user interaction required” does not by itself establish a single-click scenario. “Low attack complexity” is a CVSS metric and does not remove the separately documented prerequisite that the renderer must already have been compromised.
The CVSS vector scores high integrity impact but no confidentiality or availability impact. That should be reported as written. The article should not replace the recorded impact values with assumptions about cross-site reading, credential theft, arbitrary data disclosure, browser crashes, or device availability. Any explanation for why the vector was scored that way would be analysis unless supported by additional authoritative information.
CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution records:
- Exploitation: none.
- Automatable: no.
- Technical impact: partial.
“Automatable: no” should also be left within its recorded scope. It does not establish that malicious content cannot be distributed broadly, and it does not provide an exploit-complexity analysis beyond the SSVC selection itself.
“Technical impact: partial” is consistent with keeping the reported outcome narrower than complete browser or device compromise. It does not define the exact actions available after the site-isolation bypass.
Taken together, the assessments support prompt, calm remediation. The supplied evidence identifies an affected version range and a corrected threshold, but it does not establish an active campaign, a complete attack chain, or compromise of every device running an affected version.
Update Chrome on Android Now
Android users can check and update Chrome immediately:- Open Chrome on the Android device.
- Tap the three-dot menu.
- Select Settings.
- Select About Chrome.
- Read the complete version number.
- Confirm that the version is 150.0.7871.47 or later.
- If the version is earlier, open the Google Play Store.
- Search for Google Chrome.
- Select Update if an update is available.
- After the update finishes, reopen Chrome and return to three-dot menu > Settings > About Chrome.
- Verify that Chrome now displays 150.0.7871.47 or later.
Users and support teams should compare the complete four-part version. A result that shows only “Chrome 150” is insufficient because it does not establish whether the installation is below or at the fixed build.
| Installed Chrome version on Android | Status under the supplied NVD record | Required response |
|---|---|---|
| Earlier than 150.0.7871.47 | Affected | Update Chrome and verify again |
| Exactly 150.0.7871.47 | Meets the stated threshold | Record the verified version |
| Later than 150.0.7871.47 | Outside the stated affected range | Record the verified version |
| Only “Chrome 150” is known | Unverified | Obtain the complete four-part version |
| Version is missing, stale, or conflicting | Unknown | Keep the issue open until verified |
| Chrome is not installed | Not applicable to that device | Record the product absence separately |
The record also does not establish that disabling JavaScript, changing isolation settings, or enabling another browser option prevents exploitation. Administrators should not substitute an inferred workaround for the explicit version threshold.
Narrow Enterprise Guidance
For organizations, the key task is to establish which managed Android devices run Chrome below 150.0.7871.47 and then collect current evidence that those installations have been updated.The supplied NVD record does not prescribe a mobile-device-management product, deployment channel, inventory agent, update policy, or enforcement design. Organizations should use the capabilities documented for their own management platforms rather than assuming that every platform can remotely update Chrome, force a relaunch, or block an application according to its four-part version.
A defensible enterprise process has four stages:
- Identify Android devices that have Google Chrome installed.
- Collect the complete installed Chrome version.
- Remediate every version below 150.0.7871.47 through the organization’s supported process.
- Collect fresh version evidence and keep unknown or lower results open.
WindowsForum angle for Microsoft identity teams
CVE-2026-13868 is not established as a Windows vulnerability by the supplied record. The actionable WindowsForum connection is administrative: teams responsible for Microsoft identities and browser-based access should inventory managed Android Chrome versions and require 150.0.7871.47 or later before allowing sensitive browser-based work, if their management and access platforms support that control.That recommendation is intentionally conditional. The NVD record does not establish that a particular Microsoft, Google, or third-party platform can enforce a Chrome build threshold. Teams must confirm what their own products support before creating an access rule.
Where version-aware enforcement is unavailable, the immediate task remains inventory, user notification, supported remediation, and post-update verification. The article should not claim that conditional access, application-protection rules, session settings, or privileged-session architecture will compensate for the vulnerability without product-specific evidence.
Action checklist for administrators
- Inventory Google Chrome installations on managed Android devices.
- Collect the complete four-part installed version.
- Flag every Chrome installation below 150.0.7871.47.
- Treat missing, stale, truncated, or conflicting version data as unresolved.
- Direct affected users through the Chrome and Google Play update procedure.
- Use an organization-controlled deployment method only where the management platform documents support for it.
- Collect fresh version evidence after remediation.
- Close the finding only when Chrome reports 150.0.7871.47 or later.
- Record devices that cannot be verified and assign an owner and next action.
- If supported by the organization’s management and access platforms, prevent devices below the threshold from performing sensitive browser-based work.
- Evaluate Windows, macOS, Linux, ChromeOS, Android WebView, and other browsers separately rather than copying this Android Chrome threshold to them.
- Monitor authoritative vulnerability and vendor information for any later change in affected scope or exploitation status.
Record Timeline Without Unsupported Dates
The supplied NVD material shows that the public record was developed in stages, but the article does not need unconfirmed calendar dates to explain the sequence.Timeline
Chrome-originated vulnerability information: The record identified Google Chrome on Android, the Network component, the renderer-compromise prerequisite, crafted HTML, the site-isolation-bypass result, the Medium severity, and the affected boundary below 150.0.7871.47.CISA-ADP assessment: CISA-ADP contributed the CVSS 3.1 vector and 6.5 Medium score, the CWE-346 Origin Validation Error classification, and the SSVC selections.
NVD and NIST presentation: The supplied NVD record presented the contributed vulnerability information, assessments, references, and affected-product configuration. NVD had not supplied its own CVSS assessment in that record.
This sequence is useful for attribution. A score or classification displayed on an NVD page is not necessarily calculated by NVD. For CVE-2026-13868, the 6.5 CVSS score, vector, CWE assignment, and SSVC values should remain attributed to CISA-ADP.
Specific claims involving June 30, July 1, or July 6, 2026, have been omitted because they are not needed to identify affected devices or apply the update and should not be treated as disclosure, release, enrichment, or rollout dates without confirmed source-level support.
Scope Discipline Prevents Bad Vulnerability Tickets
The affected condition combines a product, platform, and version:- Product: Google Chrome.
- Platform: Android.
- Affected range: Versions earlier than 150.0.7871.47.
The same caution applies to Android WebView and other browsers. Shared components, Chromium ancestry, similar feature names, or overlapping browser behavior do not prove that another product contains the vulnerable implementation or uses Chrome’s corrected version number.
Administrators should therefore:
- Apply the 150.0.7871.47 threshold directly to Chrome on Android.
- Keep desktop Chrome out of this CVE’s affected population unless another authoritative source establishes applicability.
- Evaluate Android WebView independently.
- Consult each browser vendor before assigning the finding to another Chromium-based browser.
- Avoid using the Chrome version threshold as a universal Chromium compliance rule.
Verify the Version and Close the Gap
CVE-2026-13868 is a medium-severity, post-renderer-compromise site-isolation bypass affecting Chrome on Android below 150.0.7871.47, according to the supplied NVD record. The public information does not establish a standalone renderer exploit, sandbox escape, Android takeover, arbitrary-file access, cross-site data-read capability, or exposure on Windows and other unlisted platforms.The response is direct: open Chrome’s three-dot menu > Settings > About Chrome, verify the full version, and use the Google Play Store to update if it is below 150.0.7871.47. Enterprises should inventory managed Android Chrome installations, remediate lower versions, and require the corrected threshold for sensitive browser-based work where their management platform supports that control.
Patch Chrome on Android, verify 150.0.7871.47 or later, and keep every lower or unknown result open until it is resolved.
References
- Primary source: NVD / Chromium
Published: 2026-07-11T15:41:02-07:00
NVD - CVE-2026-13868
nvd.nist.gov
- Security advisory: MSRC
Published: 2026-07-11T15:41:02-07:00
Original feed URL
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: chromium.org
- Related coverage: chromium.googlesource.com
- Related coverage: blog.chromium.org
Chromium Blog: Recent Site Isolation improvements
In July 2018 we launched Site Isolation in Chrome as a way to secure desktop browsers against the risk of side-channel attacks like Spectr...blog.chromium.org