Google has patched a severe security hole in Chrome for Android that allows attackers to break out of the browser’s protective sandbox and potentially take full control of a device. Tracked as CVE-2026-14428, the flaw is fixed in version 150.0.7871.46, just released on the Google Play Store. If you use Chrome on an Android phone or tablet, you need to update immediately.
The Fix: Inside Chrome 150.0.7871.46
The patched version, 150.0.7871.46, contains a single but potent security repair: it prevents malicious websites from escaping Chrome’s internal sandbox. Google’s official advisory, published on its Chrome Releases blog, is characteristically terse, only confirming that the CVE-2026-14428 fix is included and thanking external researchers for reporting the issue.
Sandbox escapes are technical; they don’t affect the user-facing features of the browser. That means you won’t see any visual or performance changes in this update. The changelog is virtually empty — and that’s exactly the point. Google strips out all functional changes from these security-focused releases so that users adopt them without hesitation and to avoid drawing attention to the flaw before patches are widely deployed.
The update increments the Android version number to force the Play Store to deliver the new build. While Google doesn’t disclose whether CVE-2026-14428 was found to be exploited in the wild before the patch, the company’s swift release of a dedicated security update — outside its usual Chrome release cycle — signals a high severity.
Who's at Risk — and What Can Happen
Every Chrome installation on Android running a version earlier than 150.0.7871.46 is vulnerable. That includes Chrome Beta, Dev, and Canary channels if they haven’t been updated to include the patch. Chromium-based browsers that share Chrome’s sandbox code may also be affected, though they would need to issue their own updates based on upstream changes.
The potential impact is severe. Chrome’s sandbox is a cornerstone of its defense-in-depth architecture: it runs web content inside a restricted environment that separates it from the operating system. If a vulnerability allows an attacker to escape that sandbox, they can execute arbitrary code on the device with the same privileges as the Chrome application. On Android, that means they could:
- Read and exfiltrate personal data stored on the device, such as contacts, messages, and files.
- Install additional malware that persists even after Chrome is closed.
- Capture keystrokes and login credentials entered in other apps.
- Access the device’s camera or microphone without permission.
- Use the compromised device to attack other systems on the network.
In short, a successful sandbox escape turns a simple visit to a malicious website into a complete device compromise. There is no evidence of active exploitation targeting this specific CVE, but once a patch is released, threat actors can reverse-engineer it to develop working exploits within days. That shortens the safe update window dramatically.
Why Sandbox Escapes Are a Nightmare for Mobile Security
Browsers on mobile devices face unique constraints compared to their desktop counterparts. Chrome for Android runs inside an application sandbox provided by the OS, but it also uses its own internal sandbox to further isolate page rendering processes. This two-layer approach means that even if an attacker manages to break out of Chrome’s internal sandbox, they still have to overcome the Android app sandbox. However, additional research has shown that breaking the internal sandbox often provides enough capabilities to pivot to the OS-level sandbox using other techniques.
Mobile devices are always connected, crammed with personal data, and used for authentication via SMS, app-based 2FA, and push notifications. A compromised browser can intercept these factors, making it a treasure chest for attackers. Google’s Android security team constantly hardens the browser’s sandbox, but the complexity of the codebase inevitably leads to occasional flaws.
Sandbox escape bugs are among the most prized and expensive vulnerabilities on the exploit market, often selling for six or seven figures on underground forums. Their discovery typically triggers a rapid, out-of-band patch cycle.
The Path to the Patch: A Brief Timeline
Google Chrome follows a predictable release schedule for major versions, but critical security issues can prompt a rush release outside that rhythm. The company does not provide an exact timeline of discovery and patching, but the CVE’s public record offers a few clues.
- Discovery: The bug was likely reported through Google’s Vulnerability Reward Program (VRP) by an external researcher or discovered internally during routine fuzzing and code audits.
- Triage and Fix: Once confirmed, Google engineers developed a patch and built a new version of Chrome for Android within a accelerated timeframe.
- Release: The patched APK (150.0.7871.46) was uploaded to the Google Play Store and exists as a staged rollout, reaching devices incrementally over a few days. Users can manually force an update by visiting the Play Store.
- Public disclosure: Google published a low-detail advisory on its Chrome Releases blog. The CVE registry (CVE-2026-14428) was updated, marking it as resolved. Technical details will likely be withheld for another month or two to ensure widespread adoption.
This timeline repeats a standard security response pattern that Google has refined over years of handling Chrome vulnerabilities on desktop and mobile.
Your Immediate Action Plan: Update Chrome on Android
The single most important step is to verify that Chrome is updated to version 150.0.7871.46 or later. Here’s exactly what to do:
For Everyday Users
- Open the Google Play Store on your Android device.
- Tap your profile icon in the top-right corner.
- Select Manage apps & device.
- Look for Chrome under “Updates available.” If you see it, tap Update next to Chrome. If it’s not listed, Chrome may already be up to date.
- Verify the version: Launch Chrome, tap the three-dot menu, go to Settings > About Chrome. The version number should read 150.0.7871.46 or higher.
- Relaunch Chrome: If it’s been open for a while, fully close and restart it so the updated version is active.
- Enable auto-updates: In the Play Store, go to Chrome’s listing page, tap the three-dot menu, and make sure Enable auto update is checked. This ensures future security patches arrive without manual intervention.
If you don’t see an update immediately, try refreshing the Play Store page or waiting a few hours. Google’s staged rollout means not everyone gets the update simultaneously, but manual checks often trigger an immediate download.
For IT Administrators and MDM Users
Organizations managing Android devices through enterprise mobility management (UMD) platforms have additional tools:
- Push the update: Use your MDM console to force an application update for Chrome, instructing devices to install version 150.0.7871.46.
- Verify fleet compliance: Run a report on managed devices, filtering for those with Chrome versions below the threshold. Most MDMs pull application version data directly.
- Consider Network Policies: While the update propagates, consider implementing network restrictions that discourage users from browsing to untrusted sites, though this is a weak mitigation.
- Assess browser alternatives: If your organization uses a flavor of Chromium, check with the vendor for a coordinated security advisory. Firefox and other non-Chromium browsers are not directly affected by this CVE but may have their own sandbox-related updates.
Administrators should subscribe to Google’s release notes RSS feed or monitor the Chrome Releases blog for post-patch details that could inform risk assessments.
Beyond the Button: Additional Security Measures
While updating is the definitive fix, a few extra steps can harden your Android device against future threats:
- Keep Android system updates current: Sandbox escapes sometimes rely on bugs in the OS layer. Monthly security patches from your device manufacturer can close those avenues.
- Use a password manager: If an attacker does gain access, a password manager with strong master password protection can limit the damage to stored credentials.
- Turn on two-factor authentication for critical accounts (email, banking, social media). A compromised device can intercept SMS codes, so prefer app-based tokens or hardware keys when possible.
- Review app permissions: Regularly check which apps have access to sensitive data like location, microphone, and storage. A sandbox escape in Chrome could enable an attacker to abuse these permissions on your behalf.
- Install only trusted apps: Malware that exploits a sandbox escape often needs a way to persist on the device. Avoiding sideloading and staying within the Play Store reduces the risk of such auxiliary malware.
These practices aren’t specific to this CVE, but they form a strong layer of defense-in-depth that complements Chrome’s built-in protections.
What's Next for Chrome Security
Google will eventually publish a detailed technical write-up of the sandbox escape vulnerability, likely after a majority of users have updated. That document will help the security community understand the attack vector and refine defensive measures. In the meantime, Android users can rest easier once they’ve applied the patch.
This incident underscores a persistent challenge: mobile browsers are just as complex and vulnerable as their desktop counterparts, yet users often treat them as set-and-forget apps. Google’s rapid response is commendable, but the onus remains on individuals and organizations to stay vigilant. Make updating Chrome a habit, and your phone will be a much harder target.