Google pushed out a targeted fix for Chrome on Android this week, closing a medium-severity vulnerability that lets attackers craft web pages capable of mimicking the browser’s own interface. The bug, assigned CVE-2026-13995, affects all Chrome for Android releases before version 150.0.7871.47. While the severity label doesn’t scream “emergency,” the nature of the flaw—an input-validation weakness in Autofill—makes it a practical tool for phishing and credential theft. Remote attackers need only lure a victim to a specially designed HTML page to pull off the spoof.

What changed in Chrome 150.0.7871.47

The core problem sits inside the Autofill subsystem. Chrome’s Autofill handles form data—addresses, payment details, passwords—and renders suggestions or prompts when you tap a field. The bug, as described in Google’s advisory, stems from insufficient validation of certain inputs fed to Autofill. By crafting a malicious HTML page, an attacker could manipulate what the user sees on screen, overlaying fake dialog boxes, login forms, or permission prompts that appear to come from Chrome itself. These spoofed UI elements could trick someone into typing passwords, credit card numbers, or approving actions they never intended.

Version 150.0.7871.47 tightens those validation checks. Although Google hasn’t published a detailed technical breakdown—the company typically withholds deep exploit code until the majority of users have patched—the CVE entry confirms that the flaw no longer exists in the updated build. The patch rolled out through the Google Play Store, bundled with the version 150 milestone release that also delivers the usual quartet of high-severity fixes Chrome ships each month.

Why a “medium” bug still matters

Medium-severity ratings in the Chrome vulnerability rewards program often downplay the real-world impact because the rating considers worst-case escalation potential, not the ease of attack. Spoofing attacks rarely give root access to the device, so they cap out at medium. But for anyone who handles sensitive data on the go—which is nearly everyone—UI spoofing ranks among the most dangerous attack vectors. A well-executed spoof can bypass the human eye’s suspicion threshold completely.

Here’s what that means for different groups:

  • Home users: If you use Chrome as your default Android browser, a single tap on a link in an email, SMS, or social media post could bring up a page that looks exactly like a Google sign-in prompt. If you fill it in, your credentials are gone. Enabling sync with Google’s password manager could expose those saved passwords on a compromised account.
  • Enterprise administrators: Employees who use personal Android devices for work (BYOD) or corporate-owned handsets are walking targets. A spoofed Microsoft 365 or Okta login page could open the door to the corporate network. IT teams relying on MDM platforms like Microsoft Intune or VMware Workspace ONE need to verify that managed Chrome instances are force-updated, because the attacker doesn’t need device admin rights to execute this—only a browser visit.
  • Developers and testers: Those running Chrome beta, dev, or canary channels should check their version numbers, too. While the fix landed in the stable channel first, pre-release builds often inherit security patches quickly. Verify that your testing device isn’t lagging on an older, vulnerable build.

How we got here

Autofill has been a double-edged sword since its introduction. It saves time and reduces typing errors, but its deep integration with the browser’s rendering engine makes it an appealing target for UI redress attacks—historically called “clickjacking” or “tapjacking” on mobile. Google has hardened the feature repeatedly over the years, adding site isolation and visual indicators, but the sheer complexity of the Chrome codebase means new validation gaps occasionally slip through.

The Android edition of Chrome shares most of its underlying engine with desktop versions, but it faces a greater spoofing threat because mobile screens are smaller and users are more accustomed to pop-ups and overlays. A full-screen fake prompt can completely obscure the real URL bar, especially on devices with gesture navigation that hide the top bar. This is not the first time Chrome’s Autofill has shown a validation flaw: similar medium-severity bugs appeared in 2022 and again in early 2025, each time patched before widespread exploitation.

CVE-2026-13995 was discovered through Google’s vulnerability disclosure program. That means it was reported privately, giving the Chrome team time to develop and test a fix before the public announcement. The coordinated disclosure timeline aligns with Chrome’s typical six-week major release cycle; version 150 entered stable just as the patch for this bug was ready.

What to do right now

Updating is a two-minute task, but it’s not always automatic if you’ve disabled background updates or have limited data settings. Take these steps:

  1. Open the Google Play Store on your Android device.
  2. Tap your profile icon at the top right, then select Manage apps and device.
  3. Under “Updates available,” find Chrome and tap Update. If you see “Open” instead, Chrome is already on the latest version.
  4. To double-check, open Chrome, tap the three-dot menu, go to Settings > About Chrome. The application should report version 150.0.7871.47 or higher.

If you manage Android devices through an MDM:

  • In Microsoft Intune: push a required app update for Chrome using the Managed Google Play store app deployment; set the update priority to “high” or force-install the latest version.
  • In VMware Workspace ONE: use the assignment settings to require the newest build and enable automatic updates through the Play Store policy.
  • For any MDM, verify that Google Play Protect is active and set to scan apps continuously—it’s an additional safety net.

For everyone, remember the human element: no legitimate service will ask you to log in via a random pop-up or full-page overlay. If something feels off, close the tab and navigate directly to the official site instead of tapping prompts.

What comes next

Chrome 150 will continue receiving security patches roughly every one to two weeks through minor point releases. Google’s next major stable-channel bump—Chrome 151—is roughly six weeks away and will bundle more fixes. This particular vulnerability isn’t known to be under active exploit, but now that the CVE is public, copycat attackers can analyze the patch and craft proof-of-concept pages. The window between disclosure and widespread update is always the riskiest period, so the cliché holds: patch early, patch completely.