HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13872Published Modified CNA Chrome

CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficient input validation in the WebAppInstalls component of Google Chrome on Android (versions prior to 150.0.7871.47) allows a network-reachable attacker with no authentication to tamper with the system and disrupt service availability. The CVSS vector reflects no privilege requirement and no victim interaction needed, with high impact to both integrity and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13872 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Android Chrome images. Coverage extends to any image layer that bundles an affected Chrome binary below 150.0.7871.47.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.1 (Critical), weighted further against each customer environment's compliance policy to reflect local risk tolerance and regulatory requirements. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network; Chrome on Android exposes this component to remote input by design.

  • AuthenticationNot required

    No credentials or account are needed to trigger the vulnerability.

  • Victim interactionNot required

    The attacker does not need the device user to click a link or take any other action to exploit this flaw.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

  • A successful attacker escapes the Chrome sandbox, breaking the isolation boundary that normally confines web content to its own restricted process.
  • The attacker gains the ability to modify files and application state on the Android device outside the sandbox, corrupting persisted data or installed web app configurations.
  • The attacker can crash or destabilize the Chrome process and dependent components, causing sustained denial of service for the browser and any web apps installed through WebAppInstalls.
  • Because sandbox escape can expose process memory and inter-process communication channels, sensitive data handled by the browser process becomes accessible to the attacker.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome on Android below version 150.0.7871.47 are flagged at a Critical severity (CVSS 9.1) as soon as the CVE enters the ingestion pipeline, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild pinned to 150.0.7871.47, executes a regression test run against the rebuilt image, and opens a pull request against affected workloads; for high and critical severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual approval before remediation, the finding appears in the triage queue with the fix version pre-populated so engineers can act without additional research. If a policy or operational constraint prevents immediate upgrade, consider applying network-level controls to restrict untrusted file delivery to the affected Chrome component as a compensating measure until the patched build is promoted.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H