HIGH 7.8

CVE-2026-9987: Chrome Android WebAppInstalls Code Execution Vulnerability

A flaw in Google Chrome for Android allows a malicious file to trick the app's installation handler into running unauthorized code on your device. An attacker would need local access (physical proximity or prior compromise) and some user interaction to pull this off. The vulnerability stems from insufficient validation when Chrome processes installation-related files or requests.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9987 is a local code execution vulnerability affecting Google Chrome's WebAppInstalls functionality on Android. The vulnerability exists due to insufficient validation of untrusted input in the Web App installation handler prior to version 148.0.7778.216. The flaw maps to CWE-20 (improper input validation) and allows a local attacker to execute arbitrary code with full app privileges by crafting a malicious file and inducing user interaction. Chrome's sandboxing on Android is bypassed only at the level of the WebAppInstalls process context.

Business impact

For organizations deploying Chrome on Android devices (BYOD, corporate-owned, or kiosk scenarios), this vulnerability creates a material risk. Compromised devices could serve as pivot points into internal networks if Chrome syncs sensitive data or authentication tokens. For app developers relying on Web App Install features via Chrome, malicious actors could abuse this to sideload malware or steal user credentials within the app's permission scope. The impact depends on what data and permissions are granted to Chrome on the affected device.

Affected systems

Google Chrome on Android versions prior to 148.0.7778.216 are affected. Desktop and iOS versions of Chrome are not impacted by this specific flaw. Android devices running affected Chrome versions are the sole target, regardless of Android version, provided Chrome is installed and used.

Exploitability

This vulnerability requires local access and user interaction, which moderately constrains exploitability. An attacker cannot remotely trigger code execution over the network. However, once a malicious file reaches a device (via email, messaging, download, or USB), the bar to trigger the vulnerability is relatively low—simply handling or installing a specially crafted web app is likely sufficient. The CVSS score of 7.8 (High) reflects this combination: low attack complexity and no privilege escalation needed, but local-only attack surface.

Remediation

Update Google Chrome on Android to version 148.0.7778.216 or later. Users should enable automatic app updates via the Google Play Store to ensure timely patching. Organizations with mobile device management (MDM) policies should enforce the Chrome version requirement and verify compliance across enrolled Android devices.

Patch guidance

Chrome on Android typically auto-updates through the Google Play Store. Verify that "Auto-update apps" is enabled in Play Store settings. Manual verification: open Chrome, navigate to Settings > About Chrome, and confirm the version is 148.0.7778.216 or later. For MDM-managed deployments, push the version requirement to all managed devices and monitor rollout status. No interim workarounds are available; patching is the only remediation.

Detection guidance

Monitor Chrome version deployments on Android devices via MDM telemetry or Play Store data. Look for suspicious Web App installation activity (native logs at /data/data/com.android.chrome/app_webapps/) correlated with unexpected code execution or file writes. On a forensic level, examine Chrome's cache and app data for malformed installation manifests or suspicious file origins. Behavioral detection is limited in scope without native endpoint monitoring; version compliance checks are the most practical detection method.

Why prioritize this

Although the vulnerability requires local access and user interaction, the combination of high severity (7.8 CVSS), full code execution, and Android's critical role in enterprise and consumer mobile ecosystems warrants rapid patching. The WebAppInstalls feature is frequently used for PWA and enterprise app distribution, making this a realistic attack vector in targeted scenarios. Prioritize patching devices with elevated risk (those syncing corporate credentials, payment data, or handling sensitive communications).

Risk score, explained

CVSS 7.8 High is driven by: (1) High impact across confidentiality, integrity, and availability; (2) Low attack complexity—no special conditions required; (3) No privilege escalation—attacker runs code in Chrome's context; (4) Local attack vector and required user interaction prevent a Critical rating. Organizations should treat this as HIGH priority due to the mobile device's trusted position in network access and data handling.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-9987 is strictly local, requiring the attacker to have access to the device or the ability to place a malicious file on it. Network-based exploitation is not possible.

Do I need to do anything besides update Chrome?

Updating to version 148.0.7778.216 or later fully mitigates the vulnerability. No configuration changes, policy adjustments, or device wipes are necessary. Standard patching is sufficient.

What if I use Chrome on iOS or desktop—am I affected?

No. This vulnerability is specific to Chrome on Android. iOS and desktop versions do not have the affected WebAppInstalls code pathway.

How quickly do Android users receive the Chrome update?

Chrome updates are distributed through the Google Play Store, typically rolling out over days to weeks depending on Play Store's staged rollout schedule. Users with auto-update enabled will receive it automatically. Organizations using MDM can force deployment.

This analysis is based on official vendor disclosures and CVSS data current as of June 2026. Patch version numbers and affected software versions reflect ground-truth source data; verify against Google's official Chrome release notes and Android security updates. No exploit code or weaponized proof-of-concept is provided. This assessment is for informational purposes and does not constitute professional security advice; organizations should consult their security teams and conduct internal risk assessments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).