CVE-2026-13885: Update Chrome Android to 150.0.7871.47

CVE-2026-13885 affects Google Chrome on Android before version 150.0.7871.47. According to the Chrome-sourced description, crafted HTML can trigger a use-after-free condition in Skia and allow a remote attacker to execute arbitrary code inside Chrome’s sandbox. Chrome labels the vulnerability Medium, while CISA-ADP assigns it a CVSS 3.1 base score of 8.8 High. The immediate action is straightforward: update Chrome through the Android device’s supported application-distribution channel, then verify that the installed Chrome version is 150.0.7871.47 or later.
This is a Chrome-on-Android version-compliance issue. The supplied record does not establish that desktop Chrome, every Chromium-based browser, or Android itself is affected. It also does not describe CVE-2026-13885 as a sandbox escape or a complete takeover of the device.

Phone showing Chrome version information beside a browser sandbox security graphic with a warning bug.Update and Verify Before Debating Severity​

The stated affected-version condition is for Chrome on Android below 150.0.7871.47. Users and support teams should therefore verify Chrome’s complete installed version after applying the available update.
The version boundary is:
  • Affected: Chrome on Android before 150.0.7871.47.
  • Fixed-version threshold: Chrome 150.0.7871.47.
  • Recommended state: Chrome 150.0.7871.47 or later.
Installed Chrome version on AndroidResult
Below 150.0.7871.47Within the stated affected range
Exactly 150.0.7871.47Meets the stated fixed-version threshold
Later than 150.0.7871.47Beyond the stated affected range
Complete version unavailableCannot be evaluated against the stated boundary
Update Chrome using the application-update method supported by the device, and then check the complete installed version. The public vulnerability material establishes the version threshold but does not prescribe a particular Android user-interface path, enterprise deployment product, or management workflow.

What the Public Description Establishes​

The confirmed public description identifies the following elements:
  • The affected product is Google Chrome on Android.
  • The affected range is before 150.0.7871.47.
  • The vulnerable component is Skia.
  • The weakness is identified as CWE-416, Use After Free.
  • Crafted HTML is the documented trigger.
  • A remote attacker can achieve arbitrary code execution inside Chrome’s sandbox.
Those points support prompt remediation without requiring a broader or more speculative attack narrative.
“User interaction required,” as recorded in the CISA-ADP CVSS vector, is consistent with the description’s reference to crafted HTML. The supplied material does not identify the precise navigation sequence, delivery route, page content, or user action involved. It therefore does not support claims about a particular message, website, application, or social-engineering campaign.
The phrase inside Chrome’s sandbox is an essential part of the documented outcome. The record does not characterize this vulnerability as a sandbox escape, Android privilege escalation, or complete compromise of the phone or tablet. At the same time, it should not be reduced to a harmless browser error: the stated consequence is arbitrary code execution inside the sandbox.
A concise and supportable description is:
CVE-2026-13885 is a Skia use-after-free vulnerability affecting Chrome on Android before 150.0.7871.47. Crafted HTML can allow a remote attacker to execute arbitrary code inside Chrome’s sandbox.

The Version Boundary Matters More Than the Score​

The most useful operational fact is the fixed-version threshold. A Chrome-on-Android installation below 150.0.7871.47 falls within the supplied affected range; an installation at or above that version does not.
The platform qualifier must remain attached to that conclusion. The supplied record does not justify extending the finding to:
  • Google Chrome on Windows, macOS, Linux, or ChromeOS.
  • Every browser that incorporates Chromium code.
  • Android devices that do not have an affected Chrome version installed.
  • Other applications that may use graphics or rendering components.
  • The Android operating system as a whole.
Related products should be evaluated through their own vendor guidance rather than assumed to be affected because they share code, branding, or version-number patterns.
This narrow scope is especially important for WindowsForum readers. A Windows security tool may recognize the CVE number or the Chrome product name, but the supplied evidence describes Chrome on Android before 150.0.7871.47. It does not establish a corresponding desktop Chrome vulnerability.

Chrome Medium Versus CISA-ADP 8.8 High​

The visible severity difference does not change the remediation threshold.
Chrome assigns CVE-2026-13885 a product security severity of Medium. CISA-ADP separately contributes a CVSS 3.1 base score of 8.8 High. NVD displays that contributed score, but the supplied record does not contain an independent NVD-authored CVSS assessment.
Assessment sourceMethodResult
ChromeProduct security severityMedium
CISA-ADPCVSS 3.18.8 High
NVD/NISTIndependent NVD CVSS assessmentNot provided in the supplied record
The CISA-ADP vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Its recorded metric labels are:
  • AV:N: Network attack vector.
  • AC:L: Low attack complexity.
  • PR:N: No privileges required.
  • UI:R: User interaction required.
  • S:U: Unchanged scope.
  • C:H: High confidentiality impact.
  • I:H: High integrity impact.
  • A:H: High availability impact.
These are CVSS metric selections, not an expanded description of the exploit. They should not be used as proof of an undocumented sandbox escape, full-device compromise, privilege-escalation stage, or specific access to files, credentials, accounts, sensors, or Android services.
The vendor description remains the limit of the public exploit claim: user interaction with crafted HTML can result in arbitrary code execution inside Chrome’s sandbox.
The difference between Medium and 8.8 High reflects two separately attributed assessment methods. It should not be resolved by relabeling Chrome’s rating, calling 8.8 an “NVD score,” or expanding the public attack description until it appears to match the numerical score. Users do not need to settle that methodological question before updating.

Use After Free Is the Confirmed Weakness​

The supplied record maps CVE-2026-13885 to CWE-416, named Use After Free. That classification should be reported without adding unsupported technical detail.
The public material does not identify:
  • The specific Skia object involved.
  • The relevant allocation or release sequence.
  • The precise rendering operation that triggers the condition.
  • A proof of concept.
  • A memory-layout or exploitation technique.
  • A method for escaping Chrome’s sandbox.
  • A second vulnerability used in an exploit chain.
  • A path to Android-level privileges.
Likewise, the reference to crafted HTML should not be expanded into claims about a particular image format, font, canvas operation, graphics API, or other browser input unless a separate authoritative source establishes that detail.
The supplied references include a Chrome Releases page and a permission-restricted Chromium issue. The restricted state of the Chromium issue does not establish why access is limited, what technical evidence it contains, or whether exploit code exists. It simply means those details are not available from that reference without the required permission.

The Sandbox Defines the Reported Boundary​

The public description supports neither alarmist nor dismissive language.
It would be inaccurate to say that visiting crafted content automatically gives an attacker complete control of an Android device. The documented code execution occurs inside Chrome’s sandbox, and the record does not identify a sandbox escape.
It would also be inaccurate to describe the issue only as a crash or rendering defect. The stated consequence is arbitrary code execution.
The supported middle ground is therefore precise:
Crafted HTML can trigger arbitrary code execution inside Chrome’s sandbox on affected Chrome-for-Android installations.
This wording preserves both the seriousness of code execution and the boundary stated by the vendor. References to a sandbox should not be dropped from short advisories, headlines, or internal summaries, because doing so materially broadens the apparent result.

SSVC Values Require Narrow Interpretation​

CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution records:
  • Exploitation: none.
  • Automatable: no.
  • Technical impact: total.
  • SSVC version: 2.0.3.
  • Role: CISA Coordinator.
These values should be presented as recorded categories rather than translated into additional exploit claims.
“Exploitation: none” reflects the assessment contained in the supplied record. It does not establish that exploitation can never occur, but the record also does not support describing the vulnerability as actively exploited.
“Automatable: no” is the supplied SSVC selection. It should not be treated as proof about distribution volume, exploit reliability, or the exact actions a user must take.
“Technical impact: total” is likewise an SSVC categorization value. It does not override the vendor’s explicit statement that code execution occurs inside Chrome’s sandbox, and it does not establish complete compromise of Android.
The SSVC values provide assessment context. They do not expand the documented technical outcome.

WindowsForum Operational Angle​

For WindowsForum readers, the practical connection is concise: determine whether an Android device has Chrome installed and whether that installation is below 150.0.7871.47.
This is not evidence of a Windows desktop Chrome finding. It is not a basis for declaring all Chromium browsers vulnerable. It is not a general claim about the Android operating system. The supplied product and version condition must remain intact.

Action checklist for administrators​

  • Identify relevant Android devices running Google Chrome.
  • Obtain the complete installed Chrome version.
  • Flag installations below 150.0.7871.47.
  • Update affected installations through the device or organization’s supported application-distribution process.
  • Verify that Chrome reports version 150.0.7871.47 or later after remediation.
  • Keep findings limited to the product, platform, and version range established by the supplied record.
  • Do not convert the CISA-ADP score into an NVD-authored score.
  • Do not describe the vulnerability as a documented sandbox escape or full Android takeover.
The supplied NVD material does not prescribe an inventory platform, mobile-device-management configuration, rollout control, exception procedure, evidence-retention format, or access restriction. Organizations may use their established processes, but those processes should not be presented as CVE-specific vendor guidance.

Record Milestones​

The supplied history provides concrete dates for the public record:
DateRecord event
June 30, 2026CVE-2026-13885 was published
July 1, 2026NIST recorded its initial analysis
July 2, 2026The record was last modified
The source distinctions remain important. Chrome supplies the core vulnerability description and Medium product severity. CISA-ADP supplies the displayed CVSS 3.1 vector, 8.8 High score, and SSVC contribution. NVD presents the record, while the initial analysis is attributed to NIST.
Those roles should remain visible when the information is copied into an advisory or support notice. In particular, the 8.8 score should be called the CISA-ADP CVSS 3.1 score, not an independent NVD score.

A Narrow, Actionable Advisory​

An internal notice does not need speculative technical background to justify remediation. It can state:
Update Google Chrome on Android to version 150.0.7871.47 or later. Earlier versions are affected by CVE-2026-13885, a Skia use-after-free that crafted HTML can trigger to produce arbitrary code execution inside Chrome’s sandbox. Chrome rates the vulnerability Medium, while CISA-ADP separately assigns a CVSS 3.1 score of 8.8 High. The supplied record does not characterize the issue as a sandbox escape, complete Android takeover, desktop Chrome vulnerability, or flaw affecting every Chromium-based browser.
That wording answers the central questions:
  • What is affected? Chrome on Android before 150.0.7871.47.
  • What is the documented trigger? Crafted HTML requiring user interaction.
  • What is the documented consequence? Arbitrary code execution inside Chrome’s sandbox.
  • What version crosses the stated boundary? Chrome 150.0.7871.47 or later.
  • Why do the severity labels differ? Chrome and CISA-ADP use separately attributed assessment methods.
  • What has not been established? A sandbox escape, full-device takeover, broader Chromium scope, or independent NVD CVSS score.

What Defenders Should Carry Forward​

The immediate response is simple: update Chrome on Android and verify that the installed version is 150.0.7871.47 or later.
The reporting discipline matters just as much. Keep “inside Chrome’s sandbox” attached to the code-execution claim. Keep Chrome’s Medium rating separate from CISA-ADP’s 8.8 High score. Keep the CISA-ADP vector’s metrics within their CVSS context rather than treating them as broader exploit evidence. Keep the affected scope limited to Chrome on Android before the stated threshold.
Future authoritative updates may provide more technical detail, revised scoring, exploitation information, or broader product guidance. Until then, the evidence-led WindowsForum position is narrow and actionable: this is a Chrome-on-Android version-compliance issue, and the supported response is to update affected installations and confirm that they are running Chrome 150.0.7871.47 or later.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:41:06-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:41:06-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: vulnerability.circl.lu
 

Back
Top