HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13852Published Modified CNA Chrome

CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the WebAppInstalls component of Google Chrome on Android allows a network-reachable attacker with no authentication to bypass discretionary access control via a crafted HTML page. The CVSS vector scores this at 9.1 Critical, reflecting high impact to both integrity and availability with no barriers to exploitation. A patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13852 is available across every HarborGuard environment, with ingestion from upstream feeds occurring within minutes of publication and matching applied against all customer registries and CI/CD pipelines, including custom-built Android container images that bundle a Chrome WebView or embedded browser component. Any image carrying a Chrome version below 150.0.7871.47 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 Critical and weighting it against each customer organization's compliance policy to determine breach-of-threshold urgency. Triage routing routes findings to the team or inbox configured in each customer environment based on severity tier and affected workload ownership.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers a crafted HTML page over the network to a vulnerable Chrome on Android instance, requiring the target device to be reachable or browsing attacker-controlled content.

  • AuthenticationNot required

    No account or credential of any kind is required; the exploit is reachable by any unauthenticated party who can serve or link to a crafted HTML page.

  • Victim interactionNot required

    No user action beyond normal browsing is required for the crafted page to trigger the insufficient validation flaw.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions to succeed.

Blast Radius

  • The attacker bypasses discretionary access control, writing or modifying data in storage or filesystem locations that Chrome on Android would normally restrict.
  • The attacker causes high availability impact, crashing or destabilizing the Chrome browser process or a dependent subsystem on the target device.
  • A successful exploit may allow installation or modification of web app manifests and associated data without user consent, altering what applications appear installed on the device.
  • Combined integrity and availability loss on the affected Android device can disrupt browser-dependent workflows and expose locally persisted browser data to unauthorized writes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13852 activates the moment the advisory is ingested, flagging any container image that bundles Chrome below 150.0.7871.47. A rebuild at the fixed version is available for affected images, and for customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is typically under 90 minutes. Where compliance policy permits immediate remediation, no manual triage step is required. Customers who prefer manual review will find the finding routed to their configured security inbox with full CVSS detail and affected image inventory.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H