CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in the WebAppInstalls component of Google Chrome on Android (versions prior to 150.0.7871.47) allows a network-reachable attacker with no authentication to tamper with the system and disrupt service availability. The CVSS vector reflects no privilege requirement and no victim interaction needed, with high impact to both integrity and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-13872 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android Chrome images. Coverage extends to any image layer that bundles an affected Chrome binary below 150.0.7871.47.
AvailableTriage is available with a CVSS v3.1 score of 9.1 (Critical), weighted further against each customer environment's compliance policy to reflect local risk tolerance and regulatory requirements. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network; Chrome on Android exposes this component to remote input by design.
- AuthenticationNot required
No credentials or account are needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need the device user to click a link or take any other action to exploit this flaw.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.
Blast Radius
- A successful attacker escapes the Chrome sandbox, breaking the isolation boundary that normally confines web content to its own restricted process.
- The attacker gains the ability to modify files and application state on the Android device outside the sandbox, corrupting persisted data or installed web app configurations.
- The attacker can crash or destabilize the Chrome process and dependent components, causing sustained denial of service for the browser and any web apps installed through WebAppInstalls.
- Because sandbox escape can expose process memory and inter-process communication channels, sensitive data handled by the browser process becomes accessible to the attacker.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome on Android below version 150.0.7871.47 are flagged at a Critical severity (CVSS 9.1) as soon as the CVE enters the ingestion pipeline, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild pinned to 150.0.7871.47, executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; for high and critical severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual approval before remediation, the finding appears in the triage queue with the fix version pre-populated so engineers can act without additional research. If a policy or operational constraint prevents immediate upgrade, consider applying network-level controls to restrict untrusted file delivery to the affected Chrome component as a compensating measure until the patched build is promoted.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H