Google has released Chrome for Android version 150.0.7871.47, fixing a critical use-after-free vulnerability tracked as CVE-2026-13788. The flaw, disclosed by the National Vulnerability Database on June 30, 2026, could allow remote attackers to execute arbitrary code or cause a denial of service on unpatched devices. The update is rolling out now via the Play Store.
What exactly changed
The vulnerability resides in an unspecified component of Google Chrome for Android. According to the NVD advisory, CVE-2026-13788 is a use-after-free bug—a memory safety issue where the application continues to reference memory after it has been freed. This can corrupt data structures, crash the browser, or, if exploited skillfully, lead to arbitrary code execution.
Google rated the severity as Critical, the highest level in its classification system, meaning an attacker could potentially take over a device without user interaction beyond visiting a malicious website. The NVD record lists Chrome as the CVE source, confirming that Google acknowledged and patched it internally before public disclosure.
Affected versions: Chrome for Android earlier than 150.0.7871.47. The fix is included in version 150.0.7871.47, released on June 29, 2026, according to Google’s official Chrome releases blog (though the NVD published the record a day later). Devices running older versions, including any 150.x build below .47, are vulnerable.
What it means for you
If you use Chrome as your main browser on an Android phone or tablet, this is a priority update. Use-after-free vulnerabilities have a track record of being exploited in the wild—attackers can craft booby-trapped web pages that trigger the flaw to escape the browser’s sandbox and run malicious code. In practical terms, a successful exploit could install malware, steal data, or gain control of the device.
For everyday users
- Immediate risk: While there are no reports of active exploitation at the time of writing, the public disclosure of a critical bug raises the stakes. Attackers may start reverse-engineering the patch to develop exploits.
- What you should see: Open Google Play Store, go to “My apps & games,” and check for Chrome updates. If version 150.0.7871.47 is available, the update description will mention “bug fixes and performance improvements.” Google typically rolls out Chrome updates over a few days, so if it’s not yet visible, check back within 24 hours. You can also manually download the APK from the official Chrome releases page, but the Play Store is safer.
For IT administrators and MDM managers
- Managed devices: Ensure your mobile device management (MDM) policies force an update of Chrome to the latest version. If you use Google Play’s managed app configurations, verify that the update priority is set to “high” and auto-update is enabled.
- WebView dependencies: Many Android apps use the system WebView to display web content, and Chrome updates often include WebView fixes. If your organization deploys WebView separately, check the system WebView version as well—though CVE-2026-13788 specifically targets Chrome, similar memory bugs can affect WebView, so updating Chrome plus any WebView implementation is prudent.
- Enterprise mobility: For devices in kiosk mode or restricted profiles, test the new version in a non-production environment to ensure no compatibility issues with internal web apps.
How we got here
Use-after-free vulnerabilities are among the most common high-severity bugs in Chromium-based browsers. Google’s Chrome team routinely patches them, often crediting external researchers via its Vulnerability Reward Program. In this case, the NVD record doesn’t list a specific reporter, indicating it was found internally or through the Chrome release process.
Chrome for Android has historically faced memory corruption issues due to the complexity of its multi-process architecture and the sheer amount of third-party code. The browser’s version 150 milestone, released earlier in June 2026, brought significant under-the-hood changes, including an updated V8 JavaScript engine and improved site isolation. Such major updates can inadvertently introduce new bugs, and CVE-2026-13788 may be a regression discovered in post-release testing.
Prior critical use-after-free bugs in Chrome Android include CVE-2025-0291 (fixed in Chrome 132) and CVE-2024-9120 (Chrome 129). Both were exploited before patches reached most users, emphasizing the need for rapid updating. Google’s typical response time from internal discovery to public fix is under a week, and version 150.0.7871.47 arrived just days after the initial 150 release, suggesting a rapid response.
What to do now
Step 1: Check your Chrome version. Open Chrome, tap the three-dot menu, navigate to Settings > About Chrome. The version number appears at the top. If it’s 150.0.7871.47 or higher, you’re safe. If it’s lower, follow the update steps below.
Step 2: Update via Google Play. Open the Play Store, search “Google Chrome,” and tap “Update” if available. If an update button doesn’t appear, you may need to force a refresh: tap your profile icon, go to “Manage apps & device,” find Chrome in the “Updates available” list.
Step 3: Manual installation (advanced). If the Play Store hasn’t pushed the update after 48 hours, you can download the official APK from Google’s Chrome releases page (https://www.google.com/chrome/?platform=android). Ensure you download from that verified source only. Note that this requires enabling “Install unknown apps” for your file manager or browser.
Step 4: Mitigate until updated. If you cannot update immediately, consider switching temporarily to another browser like Firefox or Brave that uses a different engine (Gecko for Firefox). Avoid opening suspicious links, and disable JavaScript in Chrome’s site settings (Settings > Site settings > JavaScript) as a blunt but effective measure—though this will break many websites.
For enterprise admins: If your MDM permits, push a managed configuration to disable JavaScript or restrict Chrome until the update is applied. Leverage Google Play’s “Auto-Update” policy to minimize the window of vulnerability.
What to watch next
Google typically reveals more technical details a few weeks after the patch, once a critical mass of users has updated. Security researchers may publish proof-of-concept exploits, which increases the risk of real attacks. Additionally, the Chromium project might merge this fix into downstream browsers like Microsoft Edge and Samsung Internet; keep an eye on their update flows if you use those on Android.
The CVE record itself will likely be enriched over the coming days with CVSS scores and potentially a Common Weakness Enumeration (CWE) entry. For now, treat this as a must-apply update. Bookmark the Android Security Bulletins page (source.android.com) for any associated advisories that might affect other system components.