CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in the WebAppInstalls component of Google Chrome on Android (versions prior to 150.0.7871.47) allows a local attacker to bypass discretionary access control by serving a crafted HTML page. The CVSS vector indicates network-reachable exploitation with no authentication or user interaction required, enabling the attacker to tamper with data and disrupt service availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome on Android.
HarborGuard Coverage
Detection capability for CVE-2026-13851 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome on Android. Any image carrying a Chrome version below 150.0.7871.47 on an Android base is flagged automatically during registry scans and CI pipeline checks.
AvailableHarborGuard scores this CVE at 9.1 CVSS v3.1 (Critical) and surfaces it accordingly in each customer organization's triage queue, weighted against that environment's active compliance policy. Routing rules direct the alert to the team or inbox configured for Critical-severity findings in the affected workload namespace.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable component is reachable over the network (AV:N), meaning an attacker can deliver the crafted HTML page without needing local system access.
- AuthenticationNot required
No account or credential is required (PR:N); an unauthenticated attacker can trigger the vulnerability directly.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed (UI:N); the attacker does not depend on social engineering to complete the exploit.
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and imposes no special preconditions such as race conditions or memory-layout dependencies.
Blast Radius
- A successful attacker bypasses discretionary access control, allowing writes or modifications to files and data the Chrome process would normally be restricted from touching.
- Integrity of installed web app data and associated Android storage can be tampered with, potentially altering app behavior or persisted user data.
- Availability of the affected Chrome instance and any hosted web apps is disrupted, crashing or destabilizing the process (CVSS A:H).
- Because the scope is unchanged (S:U), impact is contained to the Chrome process and its sandbox boundaries, but within those boundaries both integrity and availability are fully compromised.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13851 is active across all scanning environments, flagging any image that packages Chrome for Android at a version below 150.0.7871.47. A patched-image rebuild at 150.0.7871.47 is available immediately. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, executes a regression test run, and opens a pull request against affected workloads; for Critical-severity findings, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized alert are staged and waiting for engineer review. Customers who cannot update immediately should consider isolating affected Android workloads behind network policy controls that restrict untrusted HTML delivery paths until the patched image is promoted.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H