CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in the WebAppInstalls component of Google Chrome on Android allows a network-reachable attacker with no authentication to bypass discretionary access control via a crafted HTML page. The CVSS vector scores this at 9.1 Critical, reflecting high impact to both integrity and availability with no barriers to exploitation. A patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-13852 is available across every HarborGuard environment, with ingestion from upstream feeds occurring within minutes of publication and matching applied against all customer registries and CI/CD pipelines, including custom-built Android container images that bundle a Chrome WebView or embedded browser component. Any image carrying a Chrome version below 150.0.7871.47 is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.1 Critical and weighting it against each customer organization's compliance policy to determine breach-of-threshold urgency. Triage routing routes findings to the team or inbox configured in each customer environment based on severity tier and affected workload ownership.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers a crafted HTML page over the network to a vulnerable Chrome on Android instance, requiring the target device to be reachable or browsing attacker-controlled content.
- AuthenticationNot required
No account or credential of any kind is required; the exploit is reachable by any unauthenticated party who can serve or link to a crafted HTML page.
- Victim interactionNot required
No user action beyond normal browsing is required for the crafted page to trigger the insufficient validation flaw.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions to succeed.
Blast Radius
- The attacker bypasses discretionary access control, writing or modifying data in storage or filesystem locations that Chrome on Android would normally restrict.
- The attacker causes high availability impact, crashing or destabilizing the Chrome browser process or a dependent subsystem on the target device.
- A successful exploit may allow installation or modification of web app manifests and associated data without user consent, altering what applications appear installed on the device.
- Combined integrity and availability loss on the affected Android device can disrupt browser-dependent workflows and expose locally persisted browser data to unauthorized writes.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13852 activates the moment the advisory is ingested, flagging any container image that bundles Chrome below 150.0.7871.47. A rebuild at the fixed version is available for affected images, and for customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is typically under 90 minutes. Where compliance policy permits immediate remediation, no manual triage step is required. Customers who prefer manual review will find the finding routed to their configured security inbox with full CVSS detail and affected image inventory.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H