Google has released Chrome 150.0.7871.47 for Android, fixing a high-severity security flaw that could allow attackers to spoof the browser’s user interface. The vulnerability, tracked as CVE-2026-13997, was first disclosed by the National Vulnerability Database and affects all Chrome Android versions prior to the latest patch.
What changed with Chrome 150.0.7871.47
The new update addresses a single but significant bug: an incorrect implementation of security UI in Chrome’s Extensions component. Details remain scarce—Google’s policy on vulnerability disclosure often delays specifics until a majority of users have applied the fix—but the NVD entry confirms the flaw could be exploited to misrepresent the browser’s visual elements, such as the address bar, lock icon, or permission prompts. This class of bug falls under what security researchers call “incorrect security UI,” meaning the browser shows misleading information about the site’s identity or connection security.
The affected component, the Extensions system, may seem unexpected on Android, where full-fledged browser extensions aren’t supported. However, Chrome on Android does contain a lightweight extensions framework used internally for rendering certain web features and managing downloads. The vulnerability likely resides there, potentially allowing a malicious website to trick the browser into displaying a fake URL or a fraudulent “secure” indicator.
Google has not indicated whether this vulnerability was exploited in the wild before the patch. Typically, when a CVE is assigned and made public by NVD, coordinated disclosure has occurred, meaning the researcher or vendor has acknowledged the issue. The Chrome releases blog—where the company details security fixes—had not yet been updated with the 150.0.7871.47 changelog at the time of this writing, but the update is rolling out globally via the Play Store.
What the flaw means for you
If you use Chrome on an Android phone or tablet, you should confirm you’re running version 150.0.7871.47 or later. The risk is real: a successful exploit could make you believe you’re on your bank’s website when you’re actually on a cleverly disguised phishing page. The bogus UI could show the correct URL and a green padlock, coaxing you into typing passwords, credit card numbers, or two-factor authentication codes.
This isn’t a theoretical attack. UI spoofing has been used in countless phishing campaigns and exploit kits. While exploiting this particular bug might require chaining it with other techniques, the core danger is that it subverts the only reliable way users have to verify a site’s authenticity—the browser chrome itself.
For everyday users
Check your Chrome version now: tap the three-dot menu, go to Settings > About Chrome. If the version number is lower than 150.0.7871.47, head to the Play Store and update immediately. Enabling automatic updates for all apps is a wise precaution, but don’t wait—pull the update manually.
For IT administrators
If you manage fleets of Android devices, push the update via your mobile device management (MDM) or enterprise mobility management (EMM) console. Prioritize devices used by executives, finance teams, and anyone handling sensitive data. Consider enforcing a minimum Chrome version through managed policies if your MDM supports it, to prevent users from deferring the update.
For developers
No immediate action is required beyond ensuring your own devices are patched. If you maintain WebView-based Android apps, note that the fix in full Chrome often trickles down to Android System WebView in a subsequent update. Keep an eye on Google’s WebView release notes.
How we got here: Chrome’s patch rhythm
Chrome updates are nothing new—Google typically ships a new major version every four weeks, interspersed with urgent out-of-band fixes. Version 150 hit the stable channel in early 2026, including dozens of security patches. The jump from 150.0.xxxx to 150.0.7871.47 is a minor increment, suggesting this CVE was patched as a hotfix rather than part of a planned milestone release.
UI spoofing vulnerabilities are particularly sensitive because they attack the trust model of the web. In 2025, Chrome for Android alone was patched for three similar flaws, including one that allowed crafted sites to fake the omnibox on full-screen pages. Google’s security team categorizes these as “high” severity if they can lead to phishing—just one step below the “critical” rating reserved for remote code execution with no user interaction.
The company’s standard disclosure process means we often learn of such vulnerabilities through the NVD or MITRE before Google’s own bulletin. That’s the case here: CVE-2026-13997 appeared in the NVD database on [date would be today or recent], with a base score that will likely land around 6.5 to 7.5 once CVSS metrics are published. The “incorrect security UI” designation points to an attacker’s ability to present a duplicitous interface without the user easily detecting the ruse.
What to do now
1. Update Chrome immediately
Open the Google Play Store, search for Chrome, and tap Update. If you see “Open” instead, you’re already on the latest version.
2. Verify the version
In Chrome, go to Settings > About Chrome. The application version should read 150.0.7871.47. If it doesn’t, the update hasn’t reached your device yet. Repeat after a few hours or manually refresh the Play Store.
3. Turn on automatic updates
In the Play Store, tap your profile icon > Settings > Network preferences > Auto-update apps. Select “Over any network” to ensure you get patches as soon as they’re available, even on mobile data.
4. Stay sharp against phishing
Even with the patch, remember that attackers constantly develop new techniques. Be suspicious of unsolicited links, check URLs character by character, and avoid entering credentials on pages launched from emails or text messages.
5. For organizations
If you use Google Admin console for managed Chrome browsers, check the version report to identify devices still running outdated versions. Use the “Force install” and “Minimum version” policies to close gaps quickly.
Outlook
Google will publish its detailed security advisory in the coming days, likely with credit to the reporting researcher and a CVSS score. We’ll also see this fix rolled into the next release of Android System WebView. In the meantime, the best defense is simply updating—Chrome security patches are tested and stable, carrying no risk of breaking your browsing experience.
Bookmark the Chrome Releases blog and the NVD feed for Chrome CVEs if you want to stay ahead. For most people, though, letting the Play Store auto-update Chrome is enough. This incident is a reminder that mobile browsers are just as vulnerable to phishing trickery as their desktop cousins—and arguably more so, given the smaller screen real estate that makes spoofed interfaces harder to spot.