Description
Use after free in Skia in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use-after-free flaw was discovered in the Skia graphics library bundled with Google Chrome for Android. The defect allows an attacker who can serve a specially crafted HTML page to a target user to trigger the freed memory and execute arbitrary code while the browser is running in its standard sandbox. This flaw can compromise the confidentiality and integrity of the data the browser handles and may be leveraged to further breach the device if the sandbox can be escaped.

Affected Systems

The vulnerability affects Google Chrome on Android versions earlier than 150.0.7871.47. Any device running these releases that processes untrusted web content is potentially exposed, irrespective of the operating system version.

Risk and Exploitability

Chromium rates the issue as Medium, and it is not listed in CISA’s KEV catalog. No EPSS score is publicly available, but because the vulnerability is remotely exploitable via a maliciously crafted page, an attacker who can deliver the page to a user has a high likelihood of success. Exploitation requires a web page that triggers the use-after-free; thus, a user who visits or opens a malicious link is required. Once exploited, the attacker gains code execution within Chrome’s sandbox.

Generated by OpenCVE AI on July 1, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome for Android to version 150.0.7871.47 or newer via the Google Play Store or device management channel.
  • Configure Android device management or Chrome policy to enforce automatic updates so that the browser stays current on all devices.
  • If updates cannot be applied immediately, consider restricting access to untrusted web content by employing web filtering, disabling JavaScript, or setting Chrome to block potentially harmful sites until a patch is available.

Generated by OpenCVE AI on July 1, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Skia Enables Remote Code Execution via Crafted Web Page

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in Skia in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:08.957Z

Reserved: 2026-06-29T23:03:42.053Z

Link: CVE-2026-13885

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:00:14Z

Weaknesses