CVE-2026-9987 Google CVE debrief

Who should care

Organizations with Android device fleets, mobile security teams, Chrome enterprise administrators, and end users who install web applications on Android devices.

Technical summary

The vulnerability resides in the WebAppInstalls component of Google Chrome on Android, where untrusted input is not properly validated. A local attacker can leverage a malicious file to trigger arbitrary code execution. The attack requires user interaction but no privileges, and results in complete confidentiality, integrity, and availability impact on the affected device. The fix is included in Chrome stable version 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Android to version 148.0.7778.216 or later as soon as possible.
• Restrict installation of web apps from untrusted sources and educate users to avoid opening unexpected files.
• Monitor for anomalous local process behavior on managed Android devices running Chrome.
• Apply enterprise mobile device management (MDM) policies to enforce browser update compliance.

Evidence notes

The NVD record and Chrome release advisory confirm the vulnerability exists in Chrome on Android versions prior to 148.0.7778.216. The CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) supports the 7.8 score with local attack vector, no privileges required, but user interaction needed. The Chromium issue tracker reference is marked Permissions Required, indicating restricted access to technical details. CPE data confirms the affected product as Google Chrome and notes Android as the target platform.

Official resources