Google has released Chrome 150.0.7871.47 for Android to plug a security hole that erodes one of the browser’s fiercest defenses against data-stealing attacks. The update fixes CVE-2026-13866, a vulnerability that lets a remote attacker sidestep Site Isolation—the feature that quarantines websites into separate processes—after first gaining control of the renderer.
What changed: a blind spot in Chrome’s process fortress
According to Google’s advisory, the bug is classified as an insufficient enforcement of site isolation. In practice, that means an attacker who has already broken into Chrome’s rendering engine can rig a malicious webpage to read or manipulate data from other, unrelated sites that are open in the browser. The crafted HTML essentially tricks Chrome into treating the compromised renderer as if it belongs to a different origin, letting the attacker jump the security fence.
The flaw was reported by an external researcher through Google’s Vulnerability Rewards Program, though the company has withheld technical specifics to prevent exploitation while users patch. The advisory does not mention in-the-wild attacks, but the nature of the bug—a targeted second-stage exploit—means it could be paired with a separate renderer vulnerability to mount a more destructive chain.
Chrome’s stable channel for Android was bumped from version 149 to 150.0.7871.47 on March 15, 2026. The release includes no other security fixes, underscoring the urgency. Desktop and iOS versions are unaffected because this CVE is specific to the Android architecture.
What it means for you
For everyday users: The risk sounds arcane, and for most people it is. An attacker needs a prior foothold in the renderer—typically through a separate, patched-or-zero-day bug—so a fully updated phone is unlikely to be the first link in the chain. But update immediately anyway. Site Isolation is your last line of defense when a malicious site tries to grab passwords, credit cards, or cookies from your banking or email tabs. A bypass puts all of that within reach.
For IT administrators and enterprise mobility managers: This is a Friday-afternoon push scenario. Managed Android devices that rely on Chrome for work profiles or BYOD access should be forced to update. The CVE’s severity is rated High, but if your organization has any custom web apps that handle sensitive data, treat it as critical. Use your EMM console to mandate the new version and ring-fence any devices still on Chrome 149. Consider deploying a short-term policy that blocks older Chrome releases from accessing internal resources until you’ve confirmed the rollout.
For developers: If you embed WebView in your Android app, note that WebView updates are tied to Chrome on the device. While this CVE is labeled as a Chrome browser bug, the same rendering engine underpins WebView. Google hasn’t issued a separate WebView bulletin, but ensuring your users run Chrome 150 effectively patches WebView too. Double-check your app’s testing matrix to confirm it behaves correctly with the new Chrome stable.
How we got here: the cat-and-mouse game of site isolation
Site Isolation has been central to Chrome’s defense-in-depth strategy since 2018, when the Spectre and Meltdown CPU flaws threatened to undo browser data protections. The idea is radical: even if a single renderer process is hijacked, the attacker cannot access memory belonging to a different site because each origin lives in its own sandboxed process. For Android, Google turned on strict site isolation by default in Chrome 77 (2019), extending the desktop safeguard to mobile.
But architecture alone isn’t enough. Over the years, researchers have discovered numerous enforcement gaps—places where Chrome’s logic fails to properly label a process or where a cross-origin request slips through. Some notable precedents:
- CVE-2021-37977 (2021): A similar site-isolation bypass on Android that allowed sandboxed renderers to access cross-site data through a flaw in Blink.
- CVE-2023-4763 (2023): An insufficient policy enforcement bug that let a crafted website read contents of an iframe from a different site, also fixed in an Android-specific update.
- CVE-2024-9943 (2024): A bypass involving navigation flows, patched within 48 hours.
CVE-2026-13866 fits this recurring pattern. Each patch teaches the browser better checks, but the complexity of web standards guarantees new blind spots will emerge. Google’s Security Team has publicly stated that site isolation is not a one-time fix but an ongoing engineering battle.
What to do now
Step 1: Update Chrome from the Google Play Store
Open the Play Store app, tap your profile picture, and go to “Manage apps & device.” Under “Updates available,” find Google Chrome and tap Update. If you don’t see it, pull down to refresh, or search for “Chrome” manually and hit Update on the app page.
Step 2: Verify the version
Launch Chrome, tap the three-dot menu > Settings > About Chrome. The page will show the installed version number and automatically check for updates. You should see “150.0.7871.47” or higher. If an update is still pending, close the app and try again, or restart your device.
Step 3: Ensure auto-updates are on
In the Play Store, go to Settings > Network preferences > Auto-update apps and select “Over Wi-Fi only” or “Any network.” Chrome’s built-in update mechanism is reliable, but the Play Store must be allowed to download in the background. If you’ve previously disabled automatic updates to save data, re-enable them now.
Step 4: For IT admins—force the update on managed devices
If you use Microsoft Intune, VMware Workspace ONE, or another EMM, push a managed configuration that specifies the minimum Chrome version. Set a compliance policy that flags devices with Chrome <150.0.7871.47 and blocks access to corporate resources until the update is applied. Review your Android Enterprise app configuration to ensure Chrome is set to auto-update.
Step 5: Reboot and re-verify
After updating, restart your phone. Then revisit the About Chrome screen to confirm the patch took effect. Browsers sometimes require a full refresh of background services.
If the update isn’t available yet: Staged rollouts can delay availability by a day or two. In the meantime, avoid opening sensitive websites (banking, webmail, intranets) in Chrome. Use an alternative browser like Firefox for Android or Samsung Internet, which are not affected by this specific Chrome bug. Do not sideload Chrome from third-party APK repositories; wait for the official Play Store distribution.
Outlook
Google’s swift move to push a dedicated fix shows that site-isolation bypasses still carry heavyweight urgency inside Mountain View. For Android users, this marks another turn in a decade-long effort to match the security posture of desktop Chrome—a journey hampered by the platform’s fragmentation. Expect to see further hardening in Chrome 151, particularly around the Android-specific process model. The real signal, however, is not this single CVE but the rhythm: a high-severity site-isolation bug surfaces roughly once a year, gets patched, and quietly reinforces the browser’s architecture. Keeping Chrome updated is the cheapest, most effective mitigation you have.