CVE-2026-13885

Google · Chrome for Android

A Use-After-Free vulnerability exists in the Skia graphics library within Google Chrome on Android prior to version 150, potentially allowing for arbitrary code execution.

Executive summary

A critical Use-After-Free vulnerability in the Skia graphics library of Google Chrome for Android could allow an attacker to execute arbitrary code.

Vulnerability

The vulnerability is located within the Skia graphics engine, a critical component for rendering 2D graphics. This Use-After-Free flaw can be triggered by processing malicious graphical content, requiring no authentication from the attacker.

Business impact

The CVSS score of 8.8 reflects the high danger of this vulnerability, as graphics rendering engines are frequent targets for exploitation. A successful exploit could allow an attacker to break out of the browser sandbox, resulting in unauthorized access to device resources and sensitive user information.

Remediation

Immediate Action: Apply the vendor-provided security updates to Google Chrome for Android as soon as they become available.

Proactive Monitoring: Monitor for anomalous application crashes in mobile environments, which can sometimes serve as an indicator of an exploitation attempt against the graphics stack.

Compensating Controls: Maintain up-to-date security patches for the underlying Android OS, as these often contain security improvements for shared system libraries.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Vulnerabilities within core rendering libraries like Skia are high-value targets for attackers. It is imperative that security teams prioritize updating mobile browser components to ensure that memory corruption vulnerabilities are mitigated before they can be weaponized in the wild.