CVE-2026-13852: Chrome Android Access Bypass Fixed in 150.0.7871.47

Google has fixed CVE-2026-13852, a high-severity flaw in Chrome for Android before version 150.0.7871.47 that let a local attacker use a crafted HTML page to bypass discretionary access control in WebAppInstalls, and users and administrators should treat the corrected build as the minimum safe version. The vulnerability is unusually easy to misread because Chromium calls it High while CISA-ADP assigns a 9.1 CRITICAL score. Its public description says “local attacker,” yet the contributed CVSS vector describes a network-reachable, low-complexity attack requiring neither privileges nor user interaction. The responsible response is therefore neither panic nor semantic debate: patch Android Chrome quickly, verify the installed version, and recognize that the public record still leaves important parts of the attack chain unexplained.

Cybersecurity infographic contrasts a malicious web-app install with Chrome protections and enterprise device compliance.A Browser Installation Feature Crossed an Android Security Boundary​

CVE-2026-13852 resides in WebAppInstalls, the part of Chrome involved in turning web content into an installed web-app experience. The National Vulnerability Database describes the underlying failure as insufficient validation of untrusted input, allowing a crafted HTML page to bypass discretionary access control on Android.
That phrasing points to a boundary error rather than a conventional browser memory-corruption bug. Chrome was apparently accepting or processing attacker-controlled information in an installation-related path without adequately proving that the input was valid for the security-sensitive operation that followed.
The record classifies the weakness as CWE-20, Improper Input Validation. That category is broad, but the practical principle is precise: software must not merely parse data successfully; it must establish that the data is structurally, semantically, and contextually acceptable before allowing it to influence a privileged decision.
Web-app installation is exactly where this distinction matters. An HTML document is untrusted content, while installing or registering an application-like experience can involve persistent state, operating-system integration, launch behavior, identifiers, icons, shortcuts, and permissions or policy decisions. A browser component that bridges those worlds must enforce a stricter contract than ordinary page rendering.
The published description does not say which field, object, or installation step was inadequately validated. The linked Chromium issue requires permission, limiting the amount of technical detail available to defenders and preventing a responsible public analysis from claiming a specific root-cause mechanism.
What is known is the security outcome: discretionary access control could be bypassed. That is stronger than saying Chrome displayed misleading information or accepted malformed metadata. It indicates that an operation restricted by an access-control decision could reportedly be reached or influenced through input that should not have been trusted.
The decisive security boundary is not simply web page versus browser. It is untrusted web input versus an Android-integrated installation operation. That is why a flaw in a feature that many people associate with adding a site to the home screen can carry a much higher consequence than its user-interface surface suggests.

The Affected Line Is Clear Even When the Exploit Path Is Not​

The affected-version statement is one of the least ambiguous parts of the record. Google Chrome on Android is vulnerable before 150.0.7871.47, while that version establishes the published correction boundary.
Chrome deploymentVersion conditionPublished statusPractical response
Chrome on AndroidEarlier than 150.0.7871.47AffectedUpdate and verify the resulting version
Chrome on Android150.0.7871.47 or laterOutside the published affected rangeRetain normal update enforcement and monitoring
NIST’s initial analysis expresses that boundary through an application CPE for Google Chrome with versions up to, but excluding, 150.0.7871.47, combined with an Android operating-system CPE. The combination matters: the published affected configuration is explicitly Chrome running on Android, not an undifferentiated finding against every Chrome installation.
That distinction should prevent a common vulnerability-management error. A scanner, feed, or asset database may match the product name “Google Chrome” without preserving the platform condition, producing alerts for Windows, macOS, or Linux systems based only on a version comparison. The NVD configuration does not identify those desktop platforms as affected by this CVE.
The vendor reference can make that confusion worse because NVD points to a Chrome Releases page labeled as a Stable Channel Update for Desktop. The advisory includes the CVE, but the CVE description and affected configuration remain Android-specific. Administrators should follow the actual platform and CPE scope instead of inferring that a desktop-labeled release page automatically expands the vulnerability to desktop Chrome.
That metadata mismatch is not a reason to ignore the record. It is a reason to normalize it carefully. Security teams should map CVE-2026-13852 to Chrome for Android assets, preserve the corrected-version threshold, and avoid turning an Android remediation task into a fleet-wide desktop incident unsupported by the published configuration.
For unmanaged users, the instruction is simpler: open Chrome’s application details or the relevant app-store page, confirm that the browser has updated, and verify that the resulting version is at least 150.0.7871.47. Assuming that automatic updates “must have happened” is weaker than checking the version that is actually installed.
Managed fleets require more discipline because release availability and installation are separate events. An update may be approved or visible while devices remain behind because they have not checked in, have deferred application updates, have insufficient storage, are offline, or are outside the administrator’s effective policy boundary.
The version threshold should therefore become a compliance test rather than an announcement. A device is not remediated because an administrator sent an instruction, changed a policy, or observed the new release in a console. It is remediated when inventory reports an installed Chrome version at or above the corrected build.

“High” and “Critical” Describe Different Layers of the Record​

Chromium assigns CVE-2026-13852 a security severity of High. CISA-ADP contributes a CVSS 3.1 base score of 9.1, which falls in the CRITICAL range.
Those labels are not interchangeable, and the public record does not show an NVD-produced score that resolves the difference. NVD lists no assessment yet for CVSS 4.0, no NVD base score for CVSS 3.x, and no NVD base score for CVSS 2.0. The 9.1 figure is explicitly a CISA-ADP contribution displayed by NVD.
The contributed vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. Read literally, it describes a network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and high availability impact.
That profile explains how the mathematical score reaches 9.1. The assessment gives maximum practical weight to an attack that can seriously alter protected state and disrupt availability without requiring credentials or interaction, even though it does not claim direct disclosure of confidential information.
But the vector also exposes the central ambiguity in this vulnerability’s public documentation. The Chrome-authored description says the flaw allowed a local attacker to bypass access control through a crafted HTML page. The CISA-ADP vector says AV:N and UI:N, which ordinarily communicates network reachability without user interaction.
The two statements may be reconcilable through technical details that are not public. “Local attacker” could describe the attacker’s required position, the location of a supporting component, the security boundary being crossed, or the stage at which the crafted page is introduced. Alternatively, the contributed vector could reflect a different interpretation of how the page reaches WebAppInstalls.
What defenders should not do is invent the missing explanation. The permission-restricted Chromium issue means there is no publicly accessible technical narrative in the supplied references that proves whether an ordinary remote website can trigger the flaw, whether content must already exist locally, whether another process or app participates, or whether a prior condition is needed.
The phrase “crafted HTML page” also does not, by itself, establish a drive-by browser exploit. HTML is a delivery format, not a complete threat model. A page can be remote, local, embedded, generated by another application, restored from storage, or opened through an inter-application workflow.
Likewise, UI:N in the CVSS vector should not be casually translated into “merely visiting a website is enough” when the textual description simultaneously specifies a local attacker. CVSS describes assessed exploit properties, but terse vector fields cannot replace an end-to-end exploit account.
The correct operational reading is conservative: the score indicates potentially severe integrity and availability consequences, while the text indicates a constrained attacker context that remains insufficiently described. Patch urgency is justified by the consequence and the uncertainty together, not by pretending the uncertainty does not exist.

CISA Sees Automation and Total Technical Impact, but No Recorded Exploitation​

CISA-ADP’s Stakeholder-Specific Vulnerability Categorization adds another layer to the risk picture. At the July 1 assessment timestamp, its exploitation option was “none,” its automatable option was “yes,” and its technical-impact option was “total.”
Those three fields should be read as separate judgments. “Exploitation: none” means the SSVC record did not identify exploitation at that point; it does not prove that exploitation is impossible, and it should not be restated as a timeless guarantee that the vulnerability has never been used.
“Automatable: yes” suggests that, under CISA’s assessment, exploitation could be executed reliably enough to scale once the necessary conditions were met. That matters because even a vulnerability with a local prerequisite can become operationally serious when malicious applications, shared files, device-management abuse, or repeatable content-delivery mechanisms are involved.
“Technical impact: total” is the strongest consequence signal in the SSVC record. Combined with the CVSS vector’s high integrity and availability effects, it indicates that the assessed harm is not limited to a cosmetic installation error or a transient browser prompt.
The public materials still do not define exactly what “total” looks like for WebAppInstalls in this case. It would be irresponsible to convert that field into unsupported claims of complete device compromise, arbitrary code execution, data theft, or unrestricted Android privilege escalation.
Instead, administrators should preserve the wording of the available evidence. The vulnerability permits a bypass of discretionary access control, and CISA-ADP assesses the technical impact as total. Those facts support rapid remediation without requiring speculation about capabilities that Chrome and NVD have not published.
This is also why exploit status should not become an excuse for delay. Vulnerability disclosures often arrive before public proof-of-concept code, scanner coverage, detailed write-ups, or confirmed attacks. Once a corrected version exists, postponing deployment merely to wait for a more frightening exploitation label reverses the purpose of defensive patching.
At the same time, the “none” exploitation option is useful for prioritization. Organizations facing an overloaded remediation queue do not need to treat CVE-2026-13852 as an already active emergency based on the supplied record. They should treat it as a high-priority Android browser update with potentially severe consequences and unresolved exploit-path details.

The Disclosure Record Matured Over Three Days​

The NVD change history shows how quickly a bare vendor record can gain severity, configuration, and decision-support metadata. It also demonstrates why security teams should not freeze their interpretation at the moment a CVE first appears.

Timeline​

June 30, 2026 — NVD published CVE-2026-13852, and Chrome’s new CVE record was received at 7:16:59 PM with the description, affected-version boundary, CWE entry, release reference, and restricted Chromium issue reference.
July 1, 2026 — CISA-ADP modified the record at 12:16:36 PM, adding the CVSS 3.1 vector, the 9.1 CRITICAL assessment, CWE-20, and SSVC data identifying no exploitation, automatable exploitation potential, and total technical impact.
July 1, 2026 — CISA-ADP modified the record again at 3:16:38 PM to remove the CWE-20 entry from its contribution, although the displayed weakness enumeration still identifies CWE-20 with Chrome as the source.
July 2, 2026 — NIST performed its initial analysis at 9:38:46 AM, adding the combined Chrome-and-Android CPE configuration and classifying the Chrome references as release notes, a vendor advisory, and a permissions-required issue.
The sequence matters because each stage answers a different operational question. Chrome defines the flaw and affected version; CISA-ADP contributes consequence and prioritization signals; NIST adds a machine-readable affected configuration that vulnerability-management products can use for matching.
The CWE changes also illustrate the difference between a record’s history and its current presentation. CISA-ADP first added and later removed CWE-20 from its own contribution, but the NVD weakness table still shows CWE-20, sourced to Chrome. An analyst who reads only the change log could mistakenly conclude that the input-validation classification was withdrawn entirely.
Nothing in the history supplies an NVD-authored CVSS score. Security dashboards should therefore label 9.1 accurately as the CISA-ADP CVSS 3.1 score rather than presenting it as a settled NVD score. That distinction is not pedantry; source attribution affects how teams reconcile changing metrics and conflicting vendor assessments.
The record’s last-modified date of July 2 also means organizations that ingested it on June 30 may have received only part of the useful context. Vulnerability pipelines should refresh recently published records so that platform constraints, severity contributions, and decision-support fields added after initial publication are not missed.

Android Fleet Management Is the Real Windows Admin Angle​

CVE-2026-13852 does not target Windows Chrome according to the published affected configuration, but it still belongs on the radar of Windows-focused IT departments. Modern endpoint administration rarely stops at the Windows desktop; the same teams often oversee identities, browsers, mobile access, application compliance, and corporate Android devices.
Chrome is also not merely another mobile application. It can be an authentication surface, a managed browser, a gateway to web-based business tools, and the engine through which users install or launch web applications. A weakness specifically involving WebAppInstalls therefore intersects with both browser governance and application-control assumptions.
The first administrative challenge is visibility. Personally owned Android devices, work profiles, dedicated corporate devices, and fully managed handsets may all expose different inventory depth. Some consoles report application presence but not a sufficiently precise version, while others report stale data until the device checks in.
The second challenge is policy scope. A Chrome update requirement does not help devices that are excluded from the relevant group, operating outside enrollment, using an unmanaged profile, or permitted to access organizational resources without application-version compliance.
The third challenge is exception handling. Devices that cannot install the corrected version should not disappear into a generic “pending” count. They need an owner, a reason, a deadline, and—where organizational risk warrants it—a temporary access restriction until they meet the minimum version.
Administrators should also watch for false positives on desktop systems. If an asset-management platform reports CVE-2026-13852 against Chrome on Windows solely because the browser version is numerically below 150.0.7871.47, the matching rule has probably discarded the Android CPE condition. That should trigger a content or normalization review rather than a desktop patching campaign for this specific CVE.
Conversely, the absence of a scanner alert does not establish that Android devices are safe. Mobile inventory may be incomplete, vulnerability scanners may not inspect application versions inside work profiles, and consumer update channels may fall outside enterprise reporting. Version-based verification remains the reliable test.

Action checklist for admins​

  • Identify Android devices with Google Chrome installed and obtain the full installed browser version.
  • Treat every Chrome for Android build earlier than 150.0.7871.47 as affected.
  • Expedite deployment or enforcement of version 150.0.7871.47 or later through the organization’s normal application-update channel.
  • Re-query inventory after deployment and separate confirmed upgrades from devices that are merely targeted by policy.
  • Investigate stale, offline, unenrolled, storage-constrained, or update-blocked devices that remain below the corrected version.
  • Validate that vulnerability tools preserve the Android platform condition and are not incorrectly assigning this CVE to desktop Chrome.
  • Monitor the Chrome advisory, NVD record, and restricted-issue status for additional exploit details or revised scoring.
These steps deliberately avoid unsupported workarounds. The supplied vendor and NVD material establishes a corrected-version boundary but does not document a configuration toggle, feature-disable procedure, enterprise policy, or other compensating control that can be asserted as an official mitigation.
In the absence of a published workaround, updating is the defensible remedy. Organizations that cannot update immediately can reduce general exposure by applying their existing controls for untrusted content and unmanaged applications, but they should not represent those controls as equivalent to fixing the faulty validation logic.

The Restricted Chromium Issue Leaves Defenders Managing Uncertainty​

Google’s decision to restrict the linked Chromium issue is not unusual during the early life of a browser vulnerability. Technical details may be withheld while updates propagate, downstream projects incorporate patches, or developers assess whether disclosure would make exploitation easier.
The trade-off is that defenders receive a precise version boundary without a precise exploit narrative. They know what to update but cannot yet fully model which threat actor position, content-delivery route, or installation state is necessary to reach the vulnerable code.
That information gap encourages two opposite forms of overstatement. Some summaries inflate every access-control bypass into device takeover, while others downgrade anything involving a “local attacker” into a low-priority problem requiring physical possession.
Neither conclusion follows from the published facts. The 9.1 vector and total technical-impact assessment warn against trivializing the outcome, while the local-attacker language warns against assuming a universal remote drive-by attack. The honest answer is that the exploit preconditions remain underspecified.
The disagreement between the text and vector should be tracked, not smoothed over. If the Chromium issue later becomes public or Google expands its advisory, the most valuable clarification will be whether “local” describes attacker access, content origin, another application on the device, or the point at which Android’s access-control boundary is crossed.
A second important question is what action WebAppInstalls could perform after the bypass. The current record gives defenders the security class—discretionary access-control bypass—but not the resulting persistent state, privilege, or operational disruption.
A third question is whether the faulty behavior is unique to Google Chrome’s Android packaging or inherited by other products using related Chromium code. The supplied affected-product record names Google Chrome, and administrators should not automatically extend the CVE to every Chromium-based Android browser without vendor confirmation.
This restraint cuts both ways. Other browser vendors and application suppliers should inspect their own exposure, but vulnerability managers should not manufacture affected-product lists by association. Shared upstream ancestry can justify investigation; it does not replace an affected-version statement.
The same discipline applies to threat intelligence. The SSVC exploitation value of “none” is a dated assessment, not a permanent property. If exploitation evidence emerges, the operational priority can change faster than the core CVE record’s wording.

Web Apps Deserve Native-App Security Discipline​

CVE-2026-13852 is also a reminder that web-app installation is not merely a convenience feature. The moment browser content gains persistence, launch integration, application-like identity, or operating-system presence, installation code becomes part of the endpoint’s security perimeter.
The web platform traditionally assumes hostile input. Pages can lie about metadata, manipulate navigation, produce malformed resources, race asynchronous events, and combine individually valid fields into invalid states. A safe WebAppInstalls implementation must preserve that hostile-input assumption even when the user has expressed an intention to install something.
That means validating more than syntax. Identifiers must refer to the expected origin and context; installation state must remain consistent; references must not escape their allowed scope; and requests originating in untrusted content must not silently inherit authority belonging to the browser or operating system.
The CWE-20 classification captures the broad failure pattern, but it does not show which of those invariants was violated here. Still, the broader lesson is visible: a permissive assumption made at the web layer can become an access-control failure when it crosses into an application-installation layer.
For enterprises embracing browser-delivered software, that is a governance issue as much as a coding issue. Web applications may reduce traditional packaging overhead, but they do not eliminate the need for inventory, lifecycle management, controlled installation, version enforcement, and incident response.
Users tend to perceive an installed web app as safer or more official because it has an icon and launches like a native application. Attackers can benefit from that mental shortcut. Browsers must therefore treat installability as a security-sensitive transformation, not a cosmetic wrapper around a tab.
CVE-2026-13852 does not prove that installed web apps as a category are unsafe. It shows that the machinery connecting a page to an installed experience can itself become vulnerable and deserves the same scrutiny applied to native application installers, protocol handlers, and package-registration systems.

What the Record Supports—and What It Does Not​

For decision-makers, the most useful interpretation is narrow, evidence-based, and immediately actionable. The affected platform and version are known, the corrected boundary is known, and the published consequence is serious enough to justify accelerated deployment.
  • CVE-2026-13852 affects Google Chrome on Android before 150.0.7871.47.
  • The flaw is improper validation of untrusted input in WebAppInstalls and can bypass discretionary access control through a crafted HTML page.
  • Chromium rates it High; CISA-ADP supplies a 9.1 CRITICAL CVSS 3.1 score.
  • The public description says “local attacker,” while the contributed vector says network attack, no privileges, and no user interaction.
  • CISA-ADP records no exploitation at its assessment timestamp, but marks the flaw automatable with total technical impact.
  • The supplied record does not establish data theft, arbitrary code execution, complete device takeover, or desktop Chrome exposure.
The central administrative task is to keep those statements intact rather than embellishing them. Security communications should not omit the uncertainty, but neither should uncertainty obscure the corrected version or delay deployment.
CVE-2026-13852 is ultimately a patch-now, explain-carefully browser flaw: the Android scope and fixed-version threshold are precise, while the public exploit model is not. Organizations that verify Chrome 150.0.7871.47 or later across their Android population can close the known exposure today; the next phase will be watching whether Google’s restricted technical record eventually explains why a locally described crafted-page attack earned a network-vector critical score—and what that discrepancy reveals about the increasingly privileged machinery behind installed web apps.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:57-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:57-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: security-tracker.debian.org
 

Back
Top