CVE-2026-13885 affects Google Chrome on Android before version 150.0.7871.47. According to the Chrome-sourced description, crafted HTML can trigger a use-after-free condition in Skia and allow a remote attacker to execute arbitrary code inside Chrome’s sandbox. Chrome labels the vulnerability Medium, while CISA-ADP assigns it a CVSS 3.1 base score of 8.8 High. The immediate action is straightforward: update Chrome through the Android device’s supported application-distribution channel, then verify that the installed Chrome version is 150.0.7871.47 or later.
This is a Chrome-on-Android version-compliance issue. The supplied record does not establish that desktop Chrome, every Chromium-based browser, or Android itself is affected. It also does not describe CVE-2026-13885 as a sandbox escape or a complete takeover of the device.
The stated affected-version condition is for Chrome on Android below 150.0.7871.47. Users and support teams should therefore verify Chrome’s complete installed version after applying the available update.
The version boundary is:
Update Chrome using the application-update method supported by the device, and then check the complete installed version. The public vulnerability material establishes the version threshold but does not prescribe a particular Android user-interface path, enterprise deployment product, or management workflow.
“User interaction required,” as recorded in the CISA-ADP CVSS vector, is consistent with the description’s reference to crafted HTML. The supplied material does not identify the precise navigation sequence, delivery route, page content, or user action involved. It therefore does not support claims about a particular message, website, application, or social-engineering campaign.
The phrase inside Chrome’s sandbox is an essential part of the documented outcome. The record does not characterize this vulnerability as a sandbox escape, Android privilege escalation, or complete compromise of the phone or tablet. At the same time, it should not be reduced to a harmless browser error: the stated consequence is arbitrary code execution inside the sandbox.
A concise and supportable description is:
The platform qualifier must remain attached to that conclusion. The supplied record does not justify extending the finding to:
This narrow scope is especially important for WindowsForum readers. A Windows security tool may recognize the CVE number or the Chrome product name, but the supplied evidence describes Chrome on Android before 150.0.7871.47. It does not establish a corresponding desktop Chrome vulnerability.
Chrome assigns CVE-2026-13885 a product security severity of Medium. CISA-ADP separately contributes a CVSS 3.1 base score of 8.8 High. NVD displays that contributed score, but the supplied record does not contain an independent NVD-authored CVSS assessment.
The CISA-ADP vector is:
Its recorded metric labels are:
The vendor description remains the limit of the public exploit claim: user interaction with crafted HTML can result in arbitrary code execution inside Chrome’s sandbox.
The difference between Medium and 8.8 High reflects two separately attributed assessment methods. It should not be resolved by relabeling Chrome’s rating, calling 8.8 an “NVD score,” or expanding the public attack description until it appears to match the numerical score. Users do not need to settle that methodological question before updating.
The public material does not identify:
The supplied references include a Chrome Releases page and a permission-restricted Chromium issue. The restricted state of the Chromium issue does not establish why access is limited, what technical evidence it contains, or whether exploit code exists. It simply means those details are not available from that reference without the required permission.
It would be inaccurate to say that visiting crafted content automatically gives an attacker complete control of an Android device. The documented code execution occurs inside Chrome’s sandbox, and the record does not identify a sandbox escape.
It would also be inaccurate to describe the issue only as a crash or rendering defect. The stated consequence is arbitrary code execution.
The supported middle ground is therefore precise:
“Exploitation: none” reflects the assessment contained in the supplied record. It does not establish that exploitation can never occur, but the record also does not support describing the vulnerability as actively exploited.
“Automatable: no” is the supplied SSVC selection. It should not be treated as proof about distribution volume, exploit reliability, or the exact actions a user must take.
“Technical impact: total” is likewise an SSVC categorization value. It does not override the vendor’s explicit statement that code execution occurs inside Chrome’s sandbox, and it does not establish complete compromise of Android.
The SSVC values provide assessment context. They do not expand the documented technical outcome.
This is not evidence of a Windows desktop Chrome finding. It is not a basis for declaring all Chromium browsers vulnerable. It is not a general claim about the Android operating system. The supplied product and version condition must remain intact.
The source distinctions remain important. Chrome supplies the core vulnerability description and Medium product severity. CISA-ADP supplies the displayed CVSS 3.1 vector, 8.8 High score, and SSVC contribution. NVD presents the record, while the initial analysis is attributed to NIST.
Those roles should remain visible when the information is copied into an advisory or support notice. In particular, the 8.8 score should be called the CISA-ADP CVSS 3.1 score, not an independent NVD score.
The reporting discipline matters just as much. Keep “inside Chrome’s sandbox” attached to the code-execution claim. Keep Chrome’s Medium rating separate from CISA-ADP’s 8.8 High score. Keep the CISA-ADP vector’s metrics within their CVSS context rather than treating them as broader exploit evidence. Keep the affected scope limited to Chrome on Android before the stated threshold.
Future authoritative updates may provide more technical detail, revised scoring, exploitation information, or broader product guidance. Until then, the evidence-led WindowsForum position is narrow and actionable: this is a Chrome-on-Android version-compliance issue, and the supported response is to update affected installations and confirm that they are running Chrome 150.0.7871.47 or later.
This is a Chrome-on-Android version-compliance issue. The supplied record does not establish that desktop Chrome, every Chromium-based browser, or Android itself is affected. It also does not describe CVE-2026-13885 as a sandbox escape or a complete takeover of the device.
Update and Verify Before Debating Severity
The stated affected-version condition is for Chrome on Android below 150.0.7871.47. Users and support teams should therefore verify Chrome’s complete installed version after applying the available update.The version boundary is:
- Affected: Chrome on Android before 150.0.7871.47.
- Fixed-version threshold: Chrome 150.0.7871.47.
- Recommended state: Chrome 150.0.7871.47 or later.
| Installed Chrome version on Android | Result |
|---|---|
| Below 150.0.7871.47 | Within the stated affected range |
| Exactly 150.0.7871.47 | Meets the stated fixed-version threshold |
| Later than 150.0.7871.47 | Beyond the stated affected range |
| Complete version unavailable | Cannot be evaluated against the stated boundary |
What the Public Description Establishes
The confirmed public description identifies the following elements:- The affected product is Google Chrome on Android.
- The affected range is before 150.0.7871.47.
- The vulnerable component is Skia.
- The weakness is identified as CWE-416, Use After Free.
- Crafted HTML is the documented trigger.
- A remote attacker can achieve arbitrary code execution inside Chrome’s sandbox.
“User interaction required,” as recorded in the CISA-ADP CVSS vector, is consistent with the description’s reference to crafted HTML. The supplied material does not identify the precise navigation sequence, delivery route, page content, or user action involved. It therefore does not support claims about a particular message, website, application, or social-engineering campaign.
The phrase inside Chrome’s sandbox is an essential part of the documented outcome. The record does not characterize this vulnerability as a sandbox escape, Android privilege escalation, or complete compromise of the phone or tablet. At the same time, it should not be reduced to a harmless browser error: the stated consequence is arbitrary code execution inside the sandbox.
A concise and supportable description is:
CVE-2026-13885 is a Skia use-after-free vulnerability affecting Chrome on Android before 150.0.7871.47. Crafted HTML can allow a remote attacker to execute arbitrary code inside Chrome’s sandbox.
The Version Boundary Matters More Than the Score
The most useful operational fact is the fixed-version threshold. A Chrome-on-Android installation below 150.0.7871.47 falls within the supplied affected range; an installation at or above that version does not.The platform qualifier must remain attached to that conclusion. The supplied record does not justify extending the finding to:
- Google Chrome on Windows, macOS, Linux, or ChromeOS.
- Every browser that incorporates Chromium code.
- Android devices that do not have an affected Chrome version installed.
- Other applications that may use graphics or rendering components.
- The Android operating system as a whole.
This narrow scope is especially important for WindowsForum readers. A Windows security tool may recognize the CVE number or the Chrome product name, but the supplied evidence describes Chrome on Android before 150.0.7871.47. It does not establish a corresponding desktop Chrome vulnerability.
Chrome Medium Versus CISA-ADP 8.8 High
The visible severity difference does not change the remediation threshold.Chrome assigns CVE-2026-13885 a product security severity of Medium. CISA-ADP separately contributes a CVSS 3.1 base score of 8.8 High. NVD displays that contributed score, but the supplied record does not contain an independent NVD-authored CVSS assessment.
| Assessment source | Method | Result |
|---|---|---|
| Chrome | Product security severity | Medium |
| CISA-ADP | CVSS 3.1 | 8.8 High |
| NVD/NIST | Independent NVD CVSS assessment | Not provided in the supplied record |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HIts recorded metric labels are:
- AV:N: Network attack vector.
- AC:L: Low attack complexity.
- PR:N: No privileges required.
- UI:R: User interaction required.
- S:U: Unchanged scope.
- C:H: High confidentiality impact.
- I:H: High integrity impact.
- A:H: High availability impact.
The vendor description remains the limit of the public exploit claim: user interaction with crafted HTML can result in arbitrary code execution inside Chrome’s sandbox.
The difference between Medium and 8.8 High reflects two separately attributed assessment methods. It should not be resolved by relabeling Chrome’s rating, calling 8.8 an “NVD score,” or expanding the public attack description until it appears to match the numerical score. Users do not need to settle that methodological question before updating.
Use After Free Is the Confirmed Weakness
The supplied record maps CVE-2026-13885 to CWE-416, named Use After Free. That classification should be reported without adding unsupported technical detail.The public material does not identify:
- The specific Skia object involved.
- The relevant allocation or release sequence.
- The precise rendering operation that triggers the condition.
- A proof of concept.
- A memory-layout or exploitation technique.
- A method for escaping Chrome’s sandbox.
- A second vulnerability used in an exploit chain.
- A path to Android-level privileges.
The supplied references include a Chrome Releases page and a permission-restricted Chromium issue. The restricted state of the Chromium issue does not establish why access is limited, what technical evidence it contains, or whether exploit code exists. It simply means those details are not available from that reference without the required permission.
The Sandbox Defines the Reported Boundary
The public description supports neither alarmist nor dismissive language.It would be inaccurate to say that visiting crafted content automatically gives an attacker complete control of an Android device. The documented code execution occurs inside Chrome’s sandbox, and the record does not identify a sandbox escape.
It would also be inaccurate to describe the issue only as a crash or rendering defect. The stated consequence is arbitrary code execution.
The supported middle ground is therefore precise:
This wording preserves both the seriousness of code execution and the boundary stated by the vendor. References to a sandbox should not be dropped from short advisories, headlines, or internal summaries, because doing so materially broadens the apparent result.Crafted HTML can trigger arbitrary code execution inside Chrome’s sandbox on affected Chrome-for-Android installations.
SSVC Values Require Narrow Interpretation
CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution records:- Exploitation: none.
- Automatable: no.
- Technical impact: total.
- SSVC version: 2.0.3.
- Role: CISA Coordinator.
“Exploitation: none” reflects the assessment contained in the supplied record. It does not establish that exploitation can never occur, but the record also does not support describing the vulnerability as actively exploited.
“Automatable: no” is the supplied SSVC selection. It should not be treated as proof about distribution volume, exploit reliability, or the exact actions a user must take.
“Technical impact: total” is likewise an SSVC categorization value. It does not override the vendor’s explicit statement that code execution occurs inside Chrome’s sandbox, and it does not establish complete compromise of Android.
The SSVC values provide assessment context. They do not expand the documented technical outcome.
WindowsForum Operational Angle
For WindowsForum readers, the practical connection is concise: determine whether an Android device has Chrome installed and whether that installation is below 150.0.7871.47.This is not evidence of a Windows desktop Chrome finding. It is not a basis for declaring all Chromium browsers vulnerable. It is not a general claim about the Android operating system. The supplied product and version condition must remain intact.
Action checklist for administrators
- Identify relevant Android devices running Google Chrome.
- Obtain the complete installed Chrome version.
- Flag installations below 150.0.7871.47.
- Update affected installations through the device or organization’s supported application-distribution process.
- Verify that Chrome reports version 150.0.7871.47 or later after remediation.
- Keep findings limited to the product, platform, and version range established by the supplied record.
- Do not convert the CISA-ADP score into an NVD-authored score.
- Do not describe the vulnerability as a documented sandbox escape or full Android takeover.
Record Milestones
The supplied history provides concrete dates for the public record:| Date | Record event |
|---|---|
| June 30, 2026 | CVE-2026-13885 was published |
| July 1, 2026 | NIST recorded its initial analysis |
| July 2, 2026 | The record was last modified |
Those roles should remain visible when the information is copied into an advisory or support notice. In particular, the 8.8 score should be called the CISA-ADP CVSS 3.1 score, not an independent NVD score.
A Narrow, Actionable Advisory
An internal notice does not need speculative technical background to justify remediation. It can state:That wording answers the central questions:Update Google Chrome on Android to version 150.0.7871.47 or later. Earlier versions are affected by CVE-2026-13885, a Skia use-after-free that crafted HTML can trigger to produce arbitrary code execution inside Chrome’s sandbox. Chrome rates the vulnerability Medium, while CISA-ADP separately assigns a CVSS 3.1 score of 8.8 High. The supplied record does not characterize the issue as a sandbox escape, complete Android takeover, desktop Chrome vulnerability, or flaw affecting every Chromium-based browser.
- What is affected? Chrome on Android before 150.0.7871.47.
- What is the documented trigger? Crafted HTML requiring user interaction.
- What is the documented consequence? Arbitrary code execution inside Chrome’s sandbox.
- What version crosses the stated boundary? Chrome 150.0.7871.47 or later.
- Why do the severity labels differ? Chrome and CISA-ADP use separately attributed assessment methods.
- What has not been established? A sandbox escape, full-device takeover, broader Chromium scope, or independent NVD CVSS score.
What Defenders Should Carry Forward
The immediate response is simple: update Chrome on Android and verify that the installed version is 150.0.7871.47 or later.The reporting discipline matters just as much. Keep “inside Chrome’s sandbox” attached to the code-execution claim. Keep Chrome’s Medium rating separate from CISA-ADP’s 8.8 High score. Keep the CISA-ADP vector’s metrics within their CVSS context rather than treating them as broader exploit evidence. Keep the affected scope limited to Chrome on Android before the stated threshold.
Future authoritative updates may provide more technical detail, revised scoring, exploitation information, or broader product guidance. Until then, the evidence-led WindowsForum position is narrow and actionable: this is a Chrome-on-Android version-compliance issue, and the supported response is to update affected installations and confirm that they are running Chrome 150.0.7871.47 or later.
References
- Primary source: NVD / Chromium
Published: 2026-07-11T15:41:06-07:00
NVD - CVE-2026-13885
nvd.nist.gov
- Security advisory: MSRC
Published: 2026-07-11T15:41:06-07:00
Original feed URL
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: cvefeed.io
CVE-2026-13885 - Skia Use-After-Free Vulnerability
Use after free in Skia in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)cvefeed.io - Related coverage: vulnerability.circl.lu
Vulnerability-Lookup
Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.vulnerability.circl.lu