Google has issued an out-of-band security update for Chrome on Android, patching a critical vulnerability tracked as CVE-2026-13822. All users running Chrome for Android older than version 150.0.7871.47 should update immediately.
The vulnerability, if successfully exploited, could allow an attacker to compromise the device after convincing the user to install a malicious file. While Google hasn't disclosed full technical details, the CVE description makes it clear that user interaction is required, which typically points to a social engineering or drive-by download scenario.
What actually changed
The update bumps Chrome for Android to version 150.0.7871.47. There are no new features or visible changes—this is purely a security fix. Because exploitation hinges on tricking the user into installing a crafted file, the attack surface likely involves a malicious app or a downloaded file that Chrome would otherwise sandbox. Google's advisory (which at press time carried no further information) simply flags the severity as critical and urges immediate update.
What it means for you
For Android users
If you use Chrome on an Android phone or tablet, open Google Play Store and install the update now. The fix is rolling out globally, but if you don't see version 150.0.7871.47 yet, it should arrive within hours. Do not sideload files from untrusted sources, even if a website or message insists you need a “plugin” or “player.” That's the classic lure for this type of attack.
For Windows users
Your desktop Chrome is not directly affected by this CVE—the bug is specific to the Android client. However, if you sync bookmarks, passwords, cookies, or open tabs between your Android phone and your Windows PC, a compromised phone could become the first domino. Stolen session cookies could let an attacker impersonate you on websites you're already logged into, even from a different device. It's an excellent moment to review what you're syncing and to enable two-factor authentication on critical accounts.
How we got here
Chrome's six-week release cycle sometimes lets critical bugs slip through. This one, tagged CVE-2026-13822, is severe enough to warrant an out-of-band update rather than waiting for the next major milestone. Google routinely uses CVEs to track vulnerabilities, and while the company rarely hands out full exploit details until most users have patched, the pattern is familiar: a malicious file can break out of Chrome's sandbox or execute arbitrary code if the user can be tricked into installing it.
Past similar Chrome for Android flaws have involved issues with file downloads, media handling, or JavaScript engines. In some cases, simply visiting a rogue website was enough. Here, the apparently required user interaction suggests a slightly higher barrier, but attackers are adept at crafting convincing lures.
What to do now
Update Chrome on Android
- Open the Google Play Store app.
- Tap your profile icon at the top right.
- Choose Manage apps & device.
- Under “Updates available,” find Chrome and tap Update. Alternatively, search for Chrome and hit the update button.
- After updating, open Chrome, tap the three-dot menu, go to Settings > About Chrome, and confirm the version shows 150.0.7871.47 or higher.
If the update isn't queued yet, you can wait a few hours or clear the Play Store cache (Settings > Apps > Google Play Store > Storage > Clear cache) and try again.
For Windows-centric users: Check your sync leash
Even though CVE-2026-13822 doesn't touch the desktop build, a connected Android device can still be a liability.
- Review synced devices: Visit chrome.google.com/sync on your PC, sign in, and review the list of devices linked to your Google Account. Remove any you don't recognize.
- Adjust sync settings: In Chrome, go to chrome://settings/syncSetup and toggle off anything you don't strictly need to share, especially passwords and payment methods.
- Enable two-factor authentication (2FA): If you haven't already, activate 2FA on your Google Account. Every cloud-syncing service should follow.
- Keep desktop Chrome updated: Stable channels on Windows get automatic updates, but sometimes a restart is needed. Check chrome://settings/help to make sure you're running the latest version (which should be 150.0.7871.47 or later for desktop as well, though that number is unrelated to this CVE).
Outlook
Google will likely publish a full technical write-up once a sufficient portion of the user base has patched—usually within a week. Security researchers who discover these bugs often release detailed analyses shortly afterward, but for now, the priority is simply to update. In the longer term, this CVE is a reminder that even well-hardened browsers can have platform-specific fractures. Whether you're an Android user, a Windows user, or both, keeping all endpoints patched and your sync connections under control remains the single best defense. Watch for follow-up disclosures that might reveal the exact mechanism and whether similar attack vectors exist on other Chrome platforms.