CVE-2026-13885
Google · Chrome for Android
A Use-After-Free vulnerability exists in the Skia graphics library within Google Chrome on Android prior to version 150, potentially allowing for arbitrary code execution.
Executive summary
A critical Use-After-Free vulnerability in the Skia graphics library of Google Chrome for Android could allow an attacker to execute arbitrary code.
Vulnerability
The vulnerability is located within the Skia graphics engine, a critical component for rendering 2D graphics. This Use-After-Free flaw can be triggered by processing malicious graphical content, requiring no authentication from the attacker.
Business impact
The CVSS score of 8.8 reflects the high danger of this vulnerability, as graphics rendering engines are frequent targets for exploitation. A successful exploit could allow an attacker to break out of the browser sandbox, resulting in unauthorized access to device resources and sensitive user information.
Remediation
Immediate Action: Apply the vendor-provided security updates to Google Chrome for Android as soon as they become available.
Proactive Monitoring: Monitor for anomalous application crashes in mobile environments, which can sometimes serve as an indicator of an exploitation attempt against the graphics stack.
Compensating Controls: Maintain up-to-date security patches for the underlying Android OS, as these often contain security improvements for shared system libraries.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Vulnerabilities within core rendering libraries like Skia are high-value targets for attackers. It is imperative that security teams prioritize updating mobile browser components to ensure that memory corruption vulnerabilities are mitigated before they can be weaponized in the wild.