CVE-2026-15115
Google · Chrome
Google Chrome on Android contains a vulnerability in WebAppInstalls that allows local attackers to bypass the same origin policy via crafted HTML pages due to insufficient input validation.
Executive summary
A critical vulnerability in Google Chrome on Android allows local attackers to bypass same origin policy protections, potentially leading to unauthorized cross-site actions.
Vulnerability
This vulnerability involves insufficient validation of untrusted input within the WebAppInstalls component. An attacker can leverage this flaw to bypass the same origin policy, which is designed to prevent malicious scripts on one page from accessing data on another.
Business impact
The exploitation of this vulnerability could lead to unauthorized access to sensitive user data or the execution of unauthorized actions within web applications. Given the CVSS score of 9.1, this is classified as a critical security risk. Failure to remediate could result in significant data compromise and a loss of user trust in applications accessed via the affected browser.
Remediation
Immediate Action: Update Google Chrome on all Android devices to version 150.0.7871.115 or later to resolve the underlying input validation flaw.
Proactive Monitoring: Security teams should monitor for anomalous browser behavior or unexpected cross-site requests originating from mobile devices within the corporate environment.
Compensating Controls: While no direct patch bypass exists, users should avoid browsing untrusted websites or clicking on suspicious links while using the affected version of Chrome on Android.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical severity rating and the potential for same origin policy bypass, organizations must prioritize updating all instances of Google Chrome on Android to version 150.0.7871.115 immediately. Failure to apply this update leaves mobile endpoints susceptible to unauthorized information disclosure and cross-site scripting attacks.