External risk intelligence

Chrome for Android Autofill Sandbox Escape Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-15113

This vulnerability exists in the Autofill component of a client-side web browser. It requires a user to interact with a crafted HTML page, meaning it is not a network-reachable service, edge gateway, or externally accessible management interface. It is a client-side execution issue that does not have a public internet-facing attack surface.

Use After Free

Google Chrome

before 150.0.7871.115

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Chrome's Autofill feature on Android could allow a malicious website to break out of its security sandbox, potentially impacting user data and system integrity. The main concern is confirming relevance and exposure due to the client-side nature of the exploit.

  • Autofill flaw allows website escapes.
  • High impact if user visits malicious page.
  • Confirm if Android Chrome Autofill is used.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user into visiting a malicious web page, leading to the Autofill feature in Chrome for Android processing data improperly. This could allow them to break out of the browser's security sandbox.

  • Requires user interaction with a malicious page.
  • Triggered by crafted HTML page.
  • Risk of sandbox escape.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in Chrome's Autofill component on Android could allow a remote attacker to escape the browser's sandbox when a user visits a specially crafted HTML page. This could potentially expose sensitive information or allow for unauthorized actions within the browser context.

  • Sensitive data within the browser.
  • Visiting a malicious webpage.
  • Sandbox escape and information disclosure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects client-side Google Chrome on Android, specifically its Autofill component, and requires user interaction with a malicious HTML page. The first practical step is to identify all Android devices running the affected browser version, confirm their business criticality, and then engage the mobile device management or endpoint security teams responsible for Chrome updates.

  • Mobile device and security teams own remediation.
  • Verify affected Chrome versions on Android.
  • Plan update deployment and user communication.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Google Chrome for Android?

It is a mobile web browser built on the Chromium engine. It includes integrated features like Autofill, which automatically populates forms like addresses or payment details to simplify user tasks. This vulnerability specifically impacts how the Autofill component manages memory.

What does CVE-2026-15113 mean?

This CVE refers to a 'use-after-free' vulnerability, categorized as CWE-416. It occurs when software continues to use a memory location after it has been cleared or freed. In this case, an attacker can manipulate that memory to compromise the browser's sandbox security.

How is this vulnerability triggered?

A remote attacker must entice a user to visit a specially crafted HTML page. Simply having the browser installed does not trigger the bug; the browser must actively process malicious code within a web page. Normal, non-malicious browsing does not activate this specific flaw.

Is my device at risk if it is not internet-facing?

According to Halo Surface Signal, this is a client-side execution issue, not a network-reachable service. Because it requires user interaction with a specific web page, it lacks a traditional internet-facing attack surface. The risk is tied to the user's browsing activity rather than direct network exposure.

How do I address this vulnerability?

Verify which devices are running Chrome versions earlier than 150.0.7871.115. Coordinate with your mobile device management or endpoint security teams to ensure these devices receive the necessary updates. Prioritize devices based on their business use and ensure users are aware of the importance of keeping their browser updated.

References