CVE-2026-15115 Overview
CVE-2026-15115 affects Google Chrome on Android in versions prior to 150.0.7871.115. The vulnerability stems from insufficient validation of untrusted input in the WebAppInstalls component. A local attacker can bypass the same-origin policy (SOP) using a crafted HTML page. Chromium categorizes the security severity as High, while the NVD CVSS 3.1 base score is 3.3 (Low) due to the local attack vector and required user interaction. The weakness is classified under CWE-20: Improper Input Validation.
Critical Impact
A crafted HTML page loaded by a Chrome for Android user can bypass same-origin policy, allowing cross-origin data access from the compromised browsing context.
Affected Products
- Google Chrome on Android prior to 150.0.7871.115
- Chromium-based browsers on Android sharing the affected WebAppInstalls code path
- Android applications embedding vulnerable Chrome/WebView components tied to WebAppInstalls
Discovery Timeline
- 2026-07-08 - CVE-2026-15115 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15115
Vulnerability Analysis
The defect resides in the WebAppInstalls subsystem of Chrome on Android. This component handles installation flows for Progressive Web Apps (PWAs) and web app manifests. The code fails to properly validate untrusted input supplied through a crafted HTML page. As a result, an attacker can bypass Chrome's same-origin policy, which normally isolates content across origins. The vulnerability requires a local vector and user interaction, meaning the target user must open or interact with attacker-controlled HTML on the device. Successful exploitation exposes data confined to one origin to script or content running under a different origin.
Root Cause
The root cause is improper input validation ([CWE-20]) within the WebAppInstalls flow. Origin-boundary checks did not sufficiently sanitize or verify attacker-controlled inputs before applying installation and origin-scoped logic. See the Chromium Issue Tracker #520576676 for the upstream tracking item.
Attack Vector
An attacker must convince a Chrome for Android user to open a crafted HTML page. The page triggers the vulnerable WebAppInstalls code path, causing the browser to relax or misapply same-origin boundaries. Because the CVSS vector requires user interaction and a local vector, phishing links, malicious ads, or attacker-controlled local files are plausible delivery mechanisms. No verified public exploit code is available; refer to the Google Chrome Stable Update advisory for vendor guidance.
// No verified public proof-of-concept is available.
// See the Chromium Issue Tracker entry #520576676 for technical details.
Detection Methods for CVE-2026-15115
Indicators of Compromise
- Chrome for Android clients still reporting User-Agent versions below 150.0.7871.115 in web server or proxy logs
- Unexpected PWA installation prompts or web app manifest fetches from unfamiliar origins on managed Android fleets
- Navigation to attacker-controlled HTML immediately followed by cross-origin resource access anomalies
Detection Strategies
- Inventory Android endpoints and enumerate installed Chrome versions using mobile device management (MDM) reporting
- Correlate outbound HTTP traffic for manifest requests (manifest.json, web-app-manifest) originating from suspicious domains
- Flag Chrome browser sessions where navigation events precede anomalous cross-origin fetches or storage reads
Monitoring Recommendations
- Ingest MDM and browser telemetry into a centralized analytics platform to track Chrome for Android version drift
- Monitor DNS and proxy logs for domains hosting suspicious PWA install prompts targeting employees
- Alert on Chrome crash reports or WebAppInstalls-related errors that could indicate exploitation attempts
How to Mitigate CVE-2026-15115
Immediate Actions Required
- Update Google Chrome on Android to version 150.0.7871.115 or later on every managed device
- Enforce automatic Chrome updates through Google Play and MDM policies
- Advise users to avoid opening untrusted HTML files or links until patching is verified
Patch Information
Google addressed the flaw in Chrome for Android 150.0.7871.115. Refer to the Google Chrome Stable Update announcement and the corresponding Chromium Issue Tracker #520576676 for release details. Downstream Chromium-based Android browsers should adopt the equivalent upstream fix.
Workarounds
- Restrict installation of web apps and PWAs via Chrome enterprise policies on managed Android devices
- Block navigation to untrusted domains through DNS filtering and secure web gateways
- Educate users about the risks of opening unsolicited HTML attachments or links on mobile devices
# Example: verify installed Chrome version on Android via adb
adb shell dumpsys package com.android.chrome | grep versionName
# Expected output should show 150.0.7871.115 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

