External risk intelligence

Chrome for Android Sandbox Escape via Malicious File

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-13872

The vulnerability requires a local attacker to provide a malicious file to trigger the issue, making it a client-side execution scenario that is not reachable via the public internet.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A recent advisory identifies a security vulnerability in Google Chrome on Android that could allow a local attacker to escape the sandbox environment. This issue is related to how the WebAppInstalls feature handles untrusted input. While it requires local access and a malicious file, it's important to understand its potential implications.

  • It’s a local file access issue in Chrome.
  • It could allow unauthorized system access.
  • Confirm relevance and exposure to local risks.

Attack Path

How an attacker could exploit the issue

A local attacker could trick a user on an affected Android device into opening a malicious file. This file could exploit a flaw in how Chrome handles web app installations, potentially allowing the attacker to break out of Chrome's security sandbox. If successful, this could lead to further compromise of the device, though the specific impact beyond the sandbox escape is not detailed.

  • Local attacker with file access needed.
  • Malicious file triggers input validation flaw.
  • Potential sandbox escape on Android.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a local attacker on an Android device to escape the browser's sandbox by providing a malicious file. This could potentially impact the integrity and availability of the affected application.

  • System data
  • Malicious file execution
  • Application compromise

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, affecting Google Chrome on Android, is likely to be the responsibility of the platform or mobile application management teams, as it impacts a widely distributed application. The first critical step is to identify all Android devices utilizing the affected Chrome version and assess their exposure, prioritizing business-critical assets and those accessible externally. Coordination with the vendor for a fix or a planned remediation window will be essential.

  • Platform and application teams own remediation.
  • Verify affected Chrome version and device reachability.
  • Plan vendor coordination and phased rollout.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Google Chrome for Android and how does it use WebAppInstalls?

Google Chrome for Android is a widely used mobile web browser that allows users to install websites as Progressive Web Apps (PWAs). The WebAppInstalls component facilitates this by processing installation data to create shortcuts and integrate these web pages directly into the Android operating system, enabling them to launch and behave like native applications.

What does CWE-20 mean in the context of CVE-2026-13872?

CWE-20 refers to Improper Input Validation, a class of security weakness where a program fails to verify that incoming data is safe before processing it. In this CVE, the browser does not sufficiently check a malicious file during the web app installation process. This failure allows the file to bypass normal constraints, potentially letting it perform actions beyond its permitted scope.

How is this sandbox escape triggered?

An attacker must gain local access to the device and trick a user into opening a specific malicious file. The vulnerability is not triggered by simply browsing the internet or visiting a website; it requires the manual introduction of a crafted file to interact with the vulnerable WebAppInstalls feature.

Is my device at risk over the internet?

According to Halo Surface Signal, this vulnerability is very unlikely to be exploited via the public internet. Because it requires a local attacker to provide a file directly to the device, it is a client-side scenario rather than a remote attack. Your exposure is limited to situations where someone has physical or local access to the Android device.

How do I address this Chrome vulnerability?

The most effective response is to update the Chrome browser on your Android devices to the latest version provided by the vendor. Since this is a browser-level issue, administrators should identify affected devices and prioritize updating those that hold sensitive information or are frequently handled by different users to ensure they are no longer running the vulnerable software.

References