CVE-2026-13924 Fixed in Chrome Android 150.0.7871.47

Google fixed CVE-2026-13924 in Chrome for Android 150.0.7871.47. The vulnerability involves insufficient validation of untrusted input in WebView and could allow a remote attacker who had already compromised the renderer process to use crafted HTML to bypass the same-origin policy. Organizations should identify Android devices running Chrome versions earlier than 150.0.7871.47, update them to that version or later, and verify the installed result.
The prerequisite is important: the public record does not describe this flaw as a standalone compromise of an otherwise secure Android device. It supports a narrower conclusion—a same-origin-policy bypass after renderer compromise, with CISA-ADP rating the integrity impact High. Claims about unauthorized transactions, authenticated-session abuse, native application access, data theft, or broader enterprise-service compromise would go beyond the available evidence.

A smartphone shows a Chrome security update beside a laptop displaying a device security compliance dashboard.A Medium Rating, but a Meaningful Security Boundary​

The CVE record describes CVE-2026-13924 as insufficient validation of untrusted input in WebView in Google Chrome on Android. It affects versions earlier than 150.0.7871.47 and carries Chromium’s medium security severity.
The weakness is classified as CWE-20, Improper Input Validation. The significant result is not the generic weakness name but the stated security consequence: crafted HTML could bypass Chrome’s same-origin policy after the attacker had compromised the renderer process.
The same-origin policy is a foundational web security boundary intended to separate content belonging to different origins. The public description establishes that this boundary could be bypassed under the stated conditions, but it does not disclose the affected code path, the exact operation enabled by the bypass, or a proof of concept.
CISA-ADP supplied a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, producing a base score of 6.5 and a Medium rating. In practical terms, the vector identifies a network attack with low attack complexity, no privileges required, required user interaction, unchanged CVSS scope, no scored confidentiality or availability impact, and High integrity impact.
That scoring should be reported precisely. The record supports a potentially serious loss of integrity, but it does not identify particular state changes, affected accounts, application actions, or business processes. It also does not establish that the vulnerability can independently compromise the renderer.
The linked Chromium issue is permission-restricted, leaving defenders without public trigger details or patch mechanics. The most actionable information is therefore the product and version boundary: Chrome on Android before 150.0.7871.47 is affected, and 150.0.7871.47 is the published corrected threshold.
Scoring and provenance
  • CISA-ADP CVSS v3.1 score: 6.5, Medium
  • Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • Highest scored impact: Integrity, High
  • NVD assessment status: NVD had not supplied its own CVSS assessment in the available record
  • Affected product: Google Chrome on Android
  • Affected range: Versions earlier than 150.0.7871.47

The Renderer Prerequisite Defines the Threat​

The phrase “had compromised the renderer process” is the central constraint in the public description. CVE-2026-13924 is not presented as the vulnerability that initially produces renderer compromise. Instead, it becomes usable after that condition has already been achieved.
That makes the flaw relevant as a possible exploit-chain component rather than a complete attack method by itself. An attacker meeting the renderer-compromise prerequisite could then use crafted HTML to reach the same-origin-policy bypass described in the record.
No additional chain should be treated as established. The available evidence does not identify a companion vulnerability, a sandbox escape, an operating-system compromise, or a route from the same-origin bypass to native Android privileges. It also does not say that exploitation is zero-click or that merely opening Chrome is sufficient.
CISA-ADP’s vector requires user interaction, but the public description does not provide enough detail to define that interaction more narrowly. Defenders should avoid converting “crafted HTML” into unsupported claims about a particular link, advertisement, message, application screen, or navigation sequence.
The measured conclusion is that the prerequisite lowers the significance of this flaw as a standalone threat without eliminating the need to patch it. Once an update correcting a security-boundary failure is available, waiting for a fully documented exploit chain offers little defensive benefit.

Risk Triage: What Is and Is Not in Scope​

The available evidence supports a compact scope assessment:
QuestionVerified conclusion
What product is affected?Google Chrome on Android
What versions are affected?Versions earlier than 150.0.7871.47
What is the corrected threshold?Chrome for Android 150.0.7871.47 or later
Is desktop Chrome identified as affected?No affected desktop Chrome range is identified in the CVE record
What prerequisite is stated?The attacker must already have compromised the renderer process
What follows that prerequisite?Crafted HTML could be used to bypass the same-origin policy
What impact is scored?CISA-ADP rates integrity High, with no scored confidentiality or availability impact
Is every Android application using WebView established as affected?No
Does the record establish that updating Chrome fixes every embedded-browser implementation?No
The wording “in WebView in Google Chrome on Android” must be preserved. It should not be broadened into a claim that every Android application, every Android WebView provider, or every embedded-browser implementation is vulnerable.
Android applications can use different embedded-browser arrangements, versions, providers, and vendor-controlled components. The available CVE evidence does not inventory those implementations and does not establish that installing a Chrome update necessarily remediates every application’s embedded browser.
For the same reason, desktop scope should not be inferred from NVD’s reference list. NVD links to a desktop Chrome release-notes post and classifies it as a Release Notes reference. The available evidence does not establish that the post itself includes CVE-2026-13924, nor does the reference title override the CVE’s affected-product statement.
Administrators should therefore keep the immediate response focused on the verified scope: Chrome on Android before 150.0.7871.47. Any expansion to Android System WebView, vendor browsers, custom Chromium builds, or application-bundled engines should be based on documentation from the relevant vendor.

What the Integrity Rating Does—and Does Not—Mean​

The CVSS vector assigns High integrity impact while assigning no confidentiality or availability impact. This is useful prioritization information, but it should not be expanded beyond what the record actually establishes.
An integrity impact generally concerns the trustworthiness or permitted modification of information and behavior. In this case, the concrete technical statement is that the flaw could bypass the same-origin policy after renderer compromise.
The public record does not specify:
  • A transaction that an attacker could perform.
  • A setting or account state that could be changed.
  • An authenticated session that could be abused.
  • A native Android interface that could be reached.
  • An application bridge that could be exposed.
  • An enterprise service that could be affected.
  • A persistence mechanism or device-level privilege increase.
Those may be useful questions during internal risk assessment, but they are not verified outcomes of CVE-2026-13924. Reporting should distinguish the confirmed browser-boundary failure from hypothetical consequences that depend on undisclosed technical details or on the design of a particular application.
The absence of scored confidentiality and availability impact also should not be rewritten as proof that those effects are technically impossible under every chained scenario. It means that the supplied CISA-ADP vector did not score them as impacts of this vulnerability. Defenders should use the vector as published rather than adding or subtracting consequences based on speculation.

General Background: Browser and Application Controls​

The following points are general security background, not CVE-specific findings.
Modern browsers commonly use multiple processes and containment mechanisms to limit the consequences of hostile web content. Web applications also use controls such as server-side authorization, anti-forgery protections, Content Security Policy, Cross-Origin Resource Sharing policies, and restrictions on framing or navigation.
None of those general controls is identified in the public CVE description as a prerequisite, mitigation, bypass target, or complete compensating control for CVE-2026-13924. The record specifically states renderer compromise followed by crafted HTML and a same-origin-policy bypass.
Likewise, some Android applications expose native functionality to web content through application-defined interfaces. The available evidence does not say that CVE-2026-13924 reaches such an interface or that a JavaScript bridge is involved. Application owners may review privileged web-to-native integrations as a matter of general secure design, but they should not report native bridge exposure as a demonstrated effect of this CVE.
This distinction keeps the response grounded. General architectural review can improve resilience, but it does not replace installing the corrected product version.

The Public Record Has Multiple Contributors​

The NVD entry combines information from several contributors rather than representing one organization’s unified analysis. That provenance matters when quoting severity, weakness classification, configuration data, and prioritization fields.
Chrome is identified as the source of the CVE description and affected-version information. CISA-ADP contributed the visible CVSS v3.1 score and related enrichment. NIST added NVD analysis and configuration information, while NVD’s own CVSS sections remained unassessed in the available record.

Record-enrichment timeline​

  1. Initial publication: The CVE entered the public record with the Chrome-on-Android WebView description, the affected range below 150.0.7871.47, a weakness classification, and references including a restricted Chromium issue.
  2. CISA-ADP enrichment: CISA-ADP added its CVSS v3.1 vector and prioritization information.
  3. NIST analysis: NIST added a configuration tying the affected Chrome version range to Android and categorized the available references.
  4. Current operational conclusion: Chrome on Android before 150.0.7871.47 remains the supported affected range, while NVD had not supplied its own CVSS score in the available record.
Exact publication and modification dates have been omitted because they were not confirmed by the verified material available for this revision. The same applies to precise SSVC timestamps previously presented in the article.
The record’s change history may show fields being added, modified, or removed by different enrichment contributors. That activity should not be interpreted as evidence of a change in exploitability unless the current record explicitly makes such a change. For remediation, the stable facts are the affected product, the renderer-compromise prerequisite, the same-origin-policy consequence, and the fixed-version threshold.

Patch Verification Matters More Than Update Intent​

The available source establishes that affected Chrome for Android installations must reach version 150.0.7871.47 or later. It does not provide verified, product-specific instructions for navigating the Google Play interface or locating Chrome’s version screen.
Because those paths were not included in the verified-source packet, this article does not present an exact sequence of Play Store taps or Chrome menu selections. Interface instructions can also vary by device, account configuration, management policy, application-store version, and vendor customization.
The actionable response is still clear:
  1. Identify managed Android devices with Google Chrome installed.
  2. Collect the installed Chrome version from a trusted inventory source.
  3. Flag any version earlier than 150.0.7871.47.
  4. Use the organization’s approved application-distribution or device-management process to install Chrome 150.0.7871.47 or later.
  5. Query the device again after deployment and confirm that the reported installed version meets or exceeds the threshold.
  6. Investigate devices that do not report a version, do not receive the update, or remain below policy.
  7. Obtain vendor documentation before assuming that the Chrome package version represents the engine used by every embedded browser on the device.
The difference between deployment and verification is important. Approving an update, assigning it to a group, or telling users to install it does not demonstrate that every affected device now meets the corrected threshold.
Administrators should retain evidence of the post-update version wherever their management tooling permits. At minimum, a compliance report should distinguish among devices verified at or above 150.0.7871.47, devices confirmed below it, and devices whose status is unknown.
Unknown status should not be treated as compliant. It represents an inventory or telemetry gap requiring follow-up.

Action checklist for administrators​

  • Inventory Google Chrome versions on managed Android devices.
  • Flag every verified Chrome version earlier than 150.0.7871.47.
  • Deploy Chrome 150.0.7871.47 or later through the approved management channel.
  • Re-query devices after deployment and record the installed version.
  • Follow up on devices that are offline, unmanaged, stale, or missing version data.
  • Do not add desktop Chrome devices to the affected population based only on the title of an NVD-linked release-notes reference.
  • Do not assume that updating Chrome remediates every Android WebView or embedded-browser implementation.
  • Check vendor documentation for applications that use a separately maintained, bundled, or customized browser engine.
  • Avoid treating update approval as proof of update installation.
  • Escalate unsupported or end-of-maintenance devices that cannot reach the corrected version.
These actions do not depend on speculative exploit scenarios. They follow directly from the published product and version boundary.

Application Owners Should Confirm Their Browser Dependency​

Infrastructure teams can determine whether Google Chrome on a managed Android device is below the published threshold. Application owners may still need to determine whether a business application relies on Chrome’s affected WebView path, another system component, a custom browser tab, a bundled engine, or a vendor-specific embedded browser.
That work should begin with documentation rather than inference. Useful questions include:
  • Which browser or WebView component renders web content in the application?
  • Is that component supplied by Chrome, the operating system, the device vendor, or the application itself?
  • Is its version visible through application inventory or diagnostic data?
  • Does the application vendor identify CVE-2026-13924 as affecting its product?
  • Does the vendor require a separate application update in addition to the Chrome update?
  • Can the organization verify the rendering component’s version after remediation?
These are scope and dependency questions, not claims about exploitation. The CVE record does not say that all applications displaying web content are affected, nor does it say that an application’s authentication flow, internal portal, advertisements, redirects, or JavaScript interfaces are exposed.
Application owners should avoid declaring remediation complete solely because Chrome was updated if they have not established that Chrome supplies the relevant embedded-browser implementation. Conversely, they should not declare every WebView-based application vulnerable without product-specific evidence.
Where an application vendor confirms that its product uses the affected Chrome-on-Android path, the organization can include that application in testing and verification. Where the vendor identifies a different engine, the organization should follow that vendor’s security guidance and corrected-version information.

A Focused Response Is Better Than an Inflated One​

CVE-2026-13924 does not require dramatic claims to justify remediation. The supported facts are sufficient:
  • It affects Google Chrome on Android before 150.0.7871.47.
  • It involves insufficient validation of untrusted input in WebView.
  • Renderer compromise is a stated prerequisite.
  • Crafted HTML could then bypass the same-origin policy.
  • CISA-ADP supplied a 6.5 Medium CVSS v3.1 score.
  • The supplied vector rates integrity impact High.
  • NVD had not supplied its own CVSS assessment in the available record.
  • Desktop Chrome is not identified as an affected product.
  • The evidence does not establish that every Android WebView implementation is affected.
  • The remediation threshold is Chrome for Android 150.0.7871.47 or later.
Security teams should patch the verified affected product, confirm the installed version, and document unknown or noncompliant devices. They should also obtain vendor guidance before extending the finding to other embedded browsers or declaring those implementations remediated.
That approach preserves urgency without overstating the threat. It also produces a result administrators can defend during incident review or compliance reporting: the affected Chrome-on-Android population was identified, updated to the published corrected threshold, and verified rather than merely assumed secure.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:41:12-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:41:12-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: chromium.org
  5. Related coverage: developer.android.com
 

Back
Top