Google has shipped an out-of-band security update for Chrome on Android, fixing a serious flaw that could allow a local attacker to compromise Custom Tabs sessions. The update, version 150.0.7871.47, addresses CVE-2026-13955, an input-validation bug that Google says could be exploited to inject malicious content into web pages rendered through the feature.
The Fix: Chrome 150.0.7871.47 for Android
On March 16, 2026, Google pushed Chrome 150.0.7871.47 to the stable channel for Android. The release notes are terse: a single security fix for CVE-2026-13955, classified as high severity. The vulnerability resides in Chrome’s CustomTabs implementation, which lets third-party apps open web content in a simplified browser view. According to the sparse advisory, improper input validation could let a local attacker manipulate the display of information or redirect users to unintended destinations. In plain terms, the flaw means a malicious actor with code execution on your device (through a compromised app, for example) could alter what you see in a CustomTab — swapping a legitimate payment page for a phishing lookalike, or injecting scripts that steal credentials.
Google hasn’t released technical details about the bug’s root cause. The Chromium bug tracker entry remains restricted, a common practice for high-severity vulnerabilities to prevent rapid reverse-engineering. The advisory notes the issue was reported by an external security researcher, though Google hasn’t disclosed whether it was exploited in the wild. The fix is validated for Android only; Chrome on Windows, macOS, and iOS are not listed as affected. Still, the tight integration between Chrome’s desktop and mobile versions makes this a patch every multi-device user should apply, regardless of primary platform.
What CustomTabs Vulnerability Means for Users
For the vast majority of users, the immediate risk is limited to Android devices with outdated Chrome versions. Because the flaw requires local access—meaning an attacker already has a toehold on your device—exploitation likely would be paired with another attack vector, such as a malicious app. Once triggered, however, an attacker could modify what appears in a CustomTab session, potentially tricking you into entering credentials on a fake login page or intercepting sensitive data.
Consider a scenario: you tap a link in a messaging app, and it opens in a CustomTab. A background malicious app exploits CVE-2026-13955 to alter the page content, showing a login prompt that captures your Google account password. Or the attacker redirects you to a site that triggers an automatic download of another payload. The attack surface is broad because CustomTabs is deeply woven into the Android app ecosystem. Major apps like X (Twitter), Reddit, and many banking apps rely on it for in-app browsing. Each becomes a potential launch pad.
For Windows users, the direct risk is zero—this CVE doesn’t affect Chrome on desktop. However, if you use Chrome Sync to harmonize bookmarks, passwords, and browsing sessions across devices, a compromise on your Android phone could cascade. Stolen credentials from a phished Google account on Android give attackers access to your entire Chrome profile on Windows, including saved payment methods, autofill data, and even remote access if you use Chrome Remote Desktop. The chain is only as strong as its weakest link, and a neglected mobile update can punch a hole in your desktop security.
How We Got Here – Chrome’s Silent Patch Cycle
Google typically releases Chrome updates on a fixed every-four-weeks schedule, but security fixes land when ready. The company often publicizes patches after a delay to allow for widespread deployment. CVE-2026-13955 first appeared on the National Vulnerability Database on March 16, 2026, but details remain thin as Google restricts access to the bug report. This is standard practice for higher-severity flaws; full writeups usually emerge days to weeks later. The vulnerability’s publication without fanfare suggests Google doesn’t currently see active exploitation, but the high severity rating indicates a non-trivial risk.
CustomTabs itself has been a target before. In 2023, a similar input-validation issue (CVE-2023-4908) allowed URL spoofing. Google’s ongoing investment in hardening the feature reflects its critical place in Android’s app browsing model. The fact that this fix arrived outside the normal cycle hints at a vulnerability considered urgent enough to fast-track—a detail worth noting for anyone who dismisses Chrome updates as routine.
For Windows users, the contrast is instructive. Desktop Chrome’s broader attack surface and its use of OS-level sandboxing often mean vulnerabilities are harder to exploit locally, but the Android variant’s reliance on an app ecosystem with variable security hygiene creates a softer underbelly. This CVE is a reminder that the most secure desktop setup can be undone by a single unpatched mobile app.
Update Now: Steps for Android and Broader Advice
For Android users:
1. Open the Google Play Store, search for “Google Chrome,” and tap Update. If you see “Open” instead, you’re already on the latest version.
2. Verify the update took: launch Chrome, tap the three-dot menu, go to Settings > About Chrome. You should see version 150.0.7871.47 or later.
3. Enable auto-updates to prevent future gaps: in the Play Store, tap your profile icon, then Settings > Network preferences > Auto-update apps > Over any network (or “Over Wi-Fi only”).
For Windows users watching this from a desktop:
- Although CVE-2026-13955 doesn’t affect your PC, you should check your desktop Chrome version. Go to Help > About Google Chrome to trigger an update check. The current stable release for Windows (as of March 2026) is version 150.x; any older build could expose you to other recently patched flaws.
- If you use Chrome Sync, add a sync passphrase. This encrypts your synced data with a key that Google doesn’t have, meaning even if an attacker grabs your Google Account password, your synced data remains scrambled. Set this up at chrome://settings/syncSetup.
- Enable two-factor authentication (2FA) on your Google account. Consider enrolling in Google’s Advanced Protection Program if you’re at elevated risk—it mandates hardware security keys and blocks unverified apps.
- For organizations managing Android devices via Microsoft Intune or other MDM, push an immediate update policy for Chrome. The bug’s local nature means even side-loaded apps on lightly managed devices could be a vector.
Outlook
Google will likely publish additional details on the Chrome Releases blog once deployment reaches a critical mass. Security researchers may reverse-engineer the fix to demonstrate proof-of-concept exploits, a process that typically takes a few weeks. If active exploitation is discovered, expect a more urgent alert. For now, the most dangerous assumption is that an Android-only bug doesn’t matter to you. With mobile browsing now the dominant form of internet access, even users anchored to a Windows desktop during work hours must treat phone updates with the same rigor. The prompt to update Chrome is one you should never dismiss — on any platform.