Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in the Glic component of Google Chrome (prior to 149.0.7827.53) can be triggered by a remote attacker who has already compromised the renderer process, using a crafted HTML page to exfiltrate sensitive cross-origin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects high confidentiality impact but masks the realistic complexity: renderer compromise is an explicit prerequisite, making this a chained exploit rather than a standalone attack. No active exploitation has been confirmed (CISA KEV absent, SSVC exploitation=none, EPSS 0.05% at 15th percentile), and a vendor-released patch is available.
Technical ContextAI
Glic is an internal component of Google Chrome's browser architecture. CWE-20 (Improper Input Validation) identifies the root cause as insufficient sanitization or validation of untrusted input originating from the renderer process before it is acted upon in a more privileged context. In Chromium's multi-process model, the renderer is intentionally sandboxed, but this vulnerability exploits the communication boundary between a compromised renderer and the browser process or cross-origin data handling layer. The affected version range is all Chrome releases below 149.0.7827.53. Because the CVE requires a pre-compromised renderer, this flaw is architecturally significant as a second-stage primitive in a full browser exploit chain - it enables a renderer-level attacker to escalate their information access to cross-origin data that the same-origin policy would otherwise block.
RemediationAI
The primary remediation is to update Google Chrome to version 149.0.7827.53 or later, which includes the vendor-released fix for this vulnerability as confirmed by the Chrome stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism will deliver this fix to most desktop users automatically; administrators managing enterprise deployments should verify policy-based update enforcement is active. No workarounds are documented in the available references. Since exploitation requires a pre-compromised renderer process, organizations relying on Chrome's built-in sandbox hardening (e.g., enabling strict site isolation via --site-per-process, which is default in modern Chrome) already reduce the attack surface for renderer-level exploits that would be prerequisites to this vulnerability. Disabling JavaScript is an extreme compensating control that would prevent renderer compromise but carries significant usability trade-offs and is not recommended as a practical mitigation.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34476
GHSA-j7pv-p79r-74j5