CVE-2026-13870
Google · Chrome for Android
A Use-After-Free vulnerability exists in the WebView component of Google Chrome on Android prior to version 150, which may lead to remote code execution.
Executive summary
A critical Use-After-Free vulnerability in Google Chrome’s WebView component on Android devices presents a significant risk of remote code execution.
Vulnerability
The vulnerability resides in the WebView component, which is used by many Android applications to render web content. It is a Use-After-Free flaw that could be triggered by an attacker if a user interacts with malicious content, requiring no specific authentication from the attacker.
Business impact
With a CVSS score of 8.8, this vulnerability represents a high threat to mobile security. Compromise of the WebView component allows an attacker to bypass application sandboxing, potentially leading to unauthorized access to sensitive application data or persistent device compromise.
Remediation
Immediate Action: Update the Google Chrome application and Android System WebView via the Google Play Store to version 150 or later immediately upon release.
Proactive Monitoring: Review mobile device management (MDM) reports to identify devices running outdated versions of WebView or Chrome.
Compensating Controls: Utilize mobile threat defense (MTD) solutions to identify and block malicious web traffic that attempts to exploit browser-based vulnerabilities.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ubiquity of WebView in the Android ecosystem makes this vulnerability particularly dangerous. Organizations should enforce a policy requiring timely updates for all mobile assets to ensure that critical patches for the WebView engine are applied without delay.