CVE-2026-9987 - Vulnerability Details

- chromium-browser: Insufficient validation of untrusted input in WebAppInstalls

Description

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)

Published: 2026-05-28

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from insufficient validation of untrusted input within the WebAppInstalls component of Google Chrome on Android. An attacker can craft a malicious file that, when processed by the affected version, results in arbitrary code execution. The weakness is an input validation flaw (CWE-1286) in addition to the classic input validation flaw (CWE-20) and is rated Chromium security severity as High.

Affected Systems

Google Chrome for Android versions prior to 148.0.7778.216 are affected. Users running these releases on Android devices are at risk unless upgraded to the latest stable channel. No other products or vendors are listed.

Risk and Exploitability

Because the flaw requires a local attacker with access to the device, the attack vector is likely local, and exploitation depends on the presence of a malicious file on the device. The EPSS score indicates a very low but non-zero exploitation probability (< 1%), and the vulnerability is not in CISA’s KEV catalog. The severity is high, suggesting significant risk to confidentiality, integrity, and availability once code execution is achieved.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.216 or a later release.
Enable automatic updates for Chrome to ensure future patches are applied as soon as they become available.
Delete or quarantine any suspicious or unknown local files that could be used to trigger the exploitation path.

Generated by OpenCVE AI on May 29, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/513046475
https://nvd.nist.gov/vuln/detail/CVE-2026-9987
https://www.cve.org/CVERecord?id=CVE-2026-9987

History

Fri, 29 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google android
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:google:android:-:::::::*
Vendors & Products		Google android

Fri, 29 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Local Code Execution via WebAppInstalls in Android Chrome	chromium-browser: Insufficient validation of untrusted input in WebAppInstalls
Weaknesses		CWE-1286
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9987 https://www.cve.org/CVERecord?id=CVE-2026-9987
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 29 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 29 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title		Local Code Execution via WebAppInstalls in Android Chrome

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513046475

Subscriptions

Google Android Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:46.650Z

Updated: 2026-05-29T12:31:41.876Z

Reserved: 2026-05-28T17:25:08.339Z

Link: CVE-2026-9987

Vulnrichment

Updated: 2026-05-29T12:31:33.321Z

NVD

Status : Analyzed

Published: 2026-05-28T23:16:56.940

Modified: 2026-05-29T16:41:42.507

Link: CVE-2026-9987

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9987 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T15:00:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object