CVE-2026-15113
Google · Chrome
A use-after-free vulnerability in the Google Chrome Autofill component on Android allows remote attackers to trigger a sandbox escape through a crafted HTML page.
Executive summary
A critical use-after-free vulnerability in Google Chrome for Android may allow an attacker to bypass browser security sandboxing and execute arbitrary code.
Vulnerability
This is a use-after-free vulnerability in the Autofill component that could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Successful exploitation could enable an attacker to break out of the browser's sandbox and execute code with native privileges or read protected data. This requires user interaction (visiting a malicious site).
Business impact
The CVSS score of 9.6 reflects the critical nature of this vulnerability. A sandbox escape is a severe security failure, as it circumvents the primary defense of the browser, potentially leading to full device compromise, theft of credentials, or unauthorized access to sensitive application data. The high severity necessitates immediate action to protect mobile endpoints.
Remediation
Immediate Action: Update Google Chrome on all affected Android devices to version 150.0.7871.115 or later via the Google Play Store.
Proactive Monitoring: Ensure that mobile device management (MDM) policies are enforcing automatic updates for browser software to minimize the window of exposure.
Compensating Controls: While browser-level controls are limited, utilizing enterprise-grade mobile threat defense (MTD) solutions can help identify and block connections to known malicious domains that might host exploitation attempts.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for sandbox escape and remote code execution, this vulnerability represents an urgent risk. Users and administrators should ensure that the latest Chrome update is applied across all Android devices in the environment to mitigate the threat of a full device compromise.