HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13851Published Modified CNA Chrome

CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the WebAppInstalls component of Google Chrome on Android (versions prior to 150.0.7871.47) allows a local attacker to bypass discretionary access control by serving a crafted HTML page. The CVSS vector indicates network-reachable exploitation with no authentication or user interaction required, enabling the attacker to tamper with data and disrupt service availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome on Android.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-13851 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome on Android. Any image carrying a Chrome version below 150.0.7871.47 on an Android base is flagged automatically during registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.1 CVSS v3.1 (Critical) and surfaces it accordingly in each customer organization's triage queue, weighted against that environment's active compliance policy. Routing rules direct the alert to the team or inbox configured for Critical-severity findings in the affected workload namespace.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable component is reachable over the network (AV:N), meaning an attacker can deliver the crafted HTML page without needing local system access.

  • AuthenticationNot required

    No account or credential is required (PR:N); an unauthenticated attacker can trigger the vulnerability directly.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed (UI:N); the attacker does not depend on social engineering to complete the exploit.

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and imposes no special preconditions such as race conditions or memory-layout dependencies.

Blast Radius

  • A successful attacker bypasses discretionary access control, allowing writes or modifications to files and data the Chrome process would normally be restricted from touching.
  • Integrity of installed web app data and associated Android storage can be tampered with, potentially altering app behavior or persisted user data.
  • Availability of the affected Chrome instance and any hosted web apps is disrupted, crashing or destabilizing the process (CVSS A:H).
  • Because the scope is unchanged (S:U), impact is contained to the Chrome process and its sandbox boundaries, but within those boundaries both integrity and availability are fully compromised.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13851 is active across all scanning environments, flagging any image that packages Chrome for Android at a version below 150.0.7871.47. A patched-image rebuild at 150.0.7871.47 is available immediately. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes a regression test run, and opens a pull request against affected workloads; for Critical-severity findings, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized alert are staged and waiting for engineer review. Customers who cannot update immediately should consider isolating affected Android workloads behind network policy controls that restrict untrusted HTML delivery paths until the patched image is promoted.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H