Google released Chrome for Android version 150.0.7871.47 on Thursday, closing a critical security hole that could let attackers hijack your phone just by luring you to a booby-trapped website. The patch fixes CVE-2026-13870, a use-after-free flaw in the WebView component that processes web content inside Chrome and other apps. Security researchers warn that the bug, triggered by specially crafted HTML, could allow remote code execution on unpatched devices.

With nearly four billion Android phones in active use, this update demands immediate attention. Here’s what changed, why it matters, and exactly how to protect yourself.

A Use-After-Free Bug in WebView

The core of CVE-2026-13870 is a classic memory safety mistake. In programming, a use-after-free (UAF) occurs when a program continues to reference a chunk of memory after it’s been released. Attackers can manipulate this dangling pointer to redirect execution flow, often leading to arbitrary code execution. Google classified the bug as CWE-416.

In this case, the vulnerable logic lived inside Android’s WebView, the system component that renders web pages for Chrome and countless third-party apps. By convincing a user to visit a malicious site—or even open a rigged HTML file in a chat app—an attacker could exploit the flaw to run code in the context of the affected application. Because WebView often operates with the app’s full permissions, the damage ranges from credential theft to full device compromise.

The extent of the risk depends on the exploited app. In Chrome itself, the attack could steal cookies, inject malware, or pivot to other vulnerabilities. In apps that use WebView for critical flows—like banking, social media, or enterprise portals—the consequences could be catastrophic.

Google hasn’t said whether this flaw is being actively exploited in the wild. As of Friday, the usual “exploitation detected” flag remains off on the public tracker. But with proof-of-concept code likely to surface soon, delay is dangerous.

Who’s Affected and How to Update

Every Android phone running Chrome (or any WebView-based app) before version 150.0.7871.47 is at risk. This update is rolling out now through the Google Play Store, and it will typically self-install within a few days if you have automatic updates enabled. But you shouldn’t wait.

To check and force the update:

  1. Open the Play Store app.
  2. Tap your profile icon, then Manage apps & device.
  3. Under “Updates available,” find Google Chrome.
  4. If an update is pending, tap Update. If not, verify the installed version.

To verify your Chrome version:

  1. Open Chrome.
  2. Tap the three-dot menu > Settings > About Chrome.
  3. The version should read 150.0.7871.47 or higher. If it doesn’t, repeat the Play Store steps.

For IT admins and enterprise users:

  • Push the update immediately through your mobile device management (MDM) platform.
  • Block access to corporate resources from devices running Chrome < 150.0.7871.47 until they’re patched.
  • Remind users that WebView is also used by other apps (like Microsoft Teams, Outlook, or custom internal tools). Those apps draw on the same system WebView, so patching Chrome is sufficient—but you should confirm that system WebView is also updated. On modern Android (7.0+), WebView updates independently via the Play Store.

For developers:

  • If your app embeds WebView, verify that you’re receiving crash reports or suspicious activity logs related to UAF.
  • Consider enforcing a minimum Chrome/WebView version in your app’s compatibility settings, though this is a blunt instrument. Better to alert users to update.

How Attackers Exploit WebView Flaws

WebView vulnerabilities are prized by attackers because they blur the line between web and native code. A use-after-free in WebView’s rendering engine can be triggered by seemingly harmless HTML, CSS, or JavaScript. Once the attacker has code execution, they can:

  • Intercept OAuth tokens and session cookies.
  • Deploy a web-based keylogger.
  • Escalate privileges by coupling the UAF with a kernel exploit.
  • Pivot from a sandboxed renderer process to the main app process.

In the case of CVE-2026-13870, the flaw resides in the memory management of objects tied to HTML parsing. A detailed technical write-up is expected once most users have patched, but the general pattern is familiar: a crafted HTML page allocates and frees memory in a specific sequence, leaving a dangling pointer that can be overwritten with attacker-controlled data. The overwritten pointer then gets called, redirecting execution to shellcode.

Because WebView is not a sandboxed renderer in the same way the desktop Chrome renderer is, the barrier to full compromise is lower on Android. This makes every WebView bug a high-priority patch.

A Brief History of Android’s WebView Woes

WebView has long been a soft spot in Android’s armor. Before Android 5.0 (Lollipop), WebView was based on a static version of WebKit, updated only with full system OTAs. That meant catastrophes like 2014’s Stagefright era when a single WebView bug could leave millions of devices exposed for months.

Google decoupled WebView from the OS in 2015, allowing it to be updated through the Play Store like any other app. That change dramatically shortened the patching cycle, but it didn’t eliminate the threat. High-severity WebView bugs still surface several times a year.

Recent memory includes CVE-2025-0970 (early 2025) and CVE-2024-9953 (late 2024), both use-after-free flaws in WebView that earned CVSS scores above 8.0. Industry-wide, UAF bugs have been the most common type of memory safety vulnerability in browsers, despite years of investment in sandboxing and isolation. Rust-based rewrites of critical components are underway, but the WebView codebase remains largely C++.

CVE-2026-13870 was reported by an external researcher whose identity hasn’t been disclosed yet. Google’s Android and Chrome security teams coordinated the fix, and the patch was included in a broader stable channel update that also contains several other fixes. Details of those companion flaws will be published in the coming days.

The Immediate Steps Every User Should Take

  1. Update now. The Play Store update takes less than a minute and requires no reboot. If you manage several devices, do it on all of them.
  2. Restart Chrome. After updating, fully close Chrome (swipe it from Recents) and relaunch to ensure the new WebView is loaded.
  3. Enable automatic updates. In the Play Store, go to Settings > Network preferences > Auto-update apps, and choose “Over any network” (or “Over Wi-Fi only” if you’re data-conscious). Chrome patches often arrive without fanfare, so this is your first line of defense.
  4. Be cautious with links. Even after patching, treat unsolicited links—especially in SMS, email, or messaging apps—with skepticism. A patched WebView won’t protect you from every trick.
  5. Check other browsers that use WebView. Some third-party browsers (like Samsung Internet or Brave) have their own engine and update schedules, but many lightweight browsers rely on Android System WebView. If you use one, make sure that Android System WebView is also updated via the Play Store.

What Happens Next

Historically, exploit code for severe WebView bugs appears on GitHub or exploit databases within a week or two of patch release. Malware campaigns often repurpose this code to broaden their reach. Enterprises should assume that weaponized exploits are coming and tighten software update policies.

Google will likely elevate CVE-2026-13870’s severity if it finds evidence of active exploitation. For now, the best defensive posture is universal patching. Keep an eye on the Chrome Releases blog and the Android Security Bulletin for any updates.

Meanwhile, the incident reinforces a deeper truth: mobile browsers are now just as complex and attackable as their desktop counterparts. Treating Android Chrome as a mere “app” belies its role as the gateway to your digital life. Regular, prompt updates aren’t optional—they’re essential.