VYPR
Vypr IntelligenceAI-generatedJul 1, 2026· 25 CVEs

Chrome on Android: 25 Vulnerabilities Disclosed Together, Patched in v150.0.7871.47

Google Chrome on Android faces a batch of 25 vulnerabilities disclosed on July 1, 2026, impacting numerous components and patched in version 150.0.7871.47.

Key findings

  • 25 vulnerabilities disclosed together for Chrome on Android on July 1, 2026.
  • All flaws are patched in version 150.0.7871.47.
  • Vulnerabilities include use-after-free, insufficient policy enforcement, and UI spoofing.
  • Critical and High severity flaws allow code execution and sandbox escapes.
  • Exploitation often involves crafted HTML pages or malicious extensions.

On July 1, 2026, a significant batch of 25 vulnerabilities was disclosed for Google's Chrome on Android, all addressed in version 150.0.7871.47. These vulnerabilities, disclosed on the same day, span various components of the browser, including UI, Payments, NFC, SiteSettings, PreviewTab, Mobile, CustomTabs, Canvas, Extensions, DevTools, Fullscreen, Network, Omnibox, Input, UI, CustomTabs, WebXR, Sharing, WebView, WebAppInstalls, CSS, Autofill, Text, and Passwords. The disclosures highlight potential risks ranging from data leakage and UI spoofing to more severe issues like arbitrary code execution and sandbox escapes.

Several vulnerabilities fall into common categories. "Inappropriate implementation" flaws were found in NFC (CVE-2026-13887), SiteSettings (CVE-2026-13941), PreviewTab (CVE-2026-14046), Network (CVE-2026-13868), Input (CVE-2026-13866), Sharing (CVE-2026-13932), WebAppInstalls (CVE-2026-14114), and Autofill (CVE-2026-13826). These often allow remote attackers to leak cross-origin data or bypass site isolation.

"Insufficient policy enforcement" was noted in Payments (CVE-2026-13949), WebXR (CVE-2026-13910), and DevTools (CVE-2026-13929), with potential for sensitive information disclosure or navigation restriction bypass. Additionally, "Insufficient validation of untrusted input" vulnerabilities were identified in UI (CVE-2026-13927), CustomTabs (CVE-2026-13863), and Text (CVE-2026-14106), leading to privilege escalation or sandbox escape possibilities.

"Incorrect security UI" flaws were present in UI (CVE-2026-14126), Mobile (CVE-2026-13987), and Extensions (CVE-2026-13997), enabling domain or UI spoofing. "Uninitialized Use" was found in Canvas (CVE-2026-14088) and CSS (CVE-2026-13943), potentially leading to sensitive data disclosure.

The most critical vulnerabilities include a "Use after free" in Fullscreen (CVE-2026-13788), which could allow remote attackers to execute arbitrary code, and another "Use after free" in WebView (CVE-2026-13870), enabling arbitrary code execution within the sandbox. A high-severity "Inappropriate implementation" in Extensions (CVE-2026-13822) could allow an attacker to bypass the same-origin policy.

All 25 vulnerabilities were patched in Chrome for Android version 150.0.7871.47. Users are strongly advised to update to this version to mitigate the risks associated with these security flaws. The coordinated disclosure, with all CVEs published on the same date, aligns with Google's standard security practices to allow users time to update before full exploit details are widely disseminated.

This batch of vulnerabilities underscores the importance of regular updates for the Chrome browser on Android. While many flaws are rated Medium or Low, the presence of Critical and High severity issues, including those allowing arbitrary code execution and sandbox escapes, necessitates prompt patching. Users should ensure their browsers are updated to the latest version to protect against potential exploitation.

AI-written article. Grounded in 25 CVE records listed below.