Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Same-origin policy bypass in Google Chrome's Media Session component (prior to 149.0.7827.53) enables remote attackers to violate cross-origin isolation via a crafted HTML page. The vulnerability stems from an inappropriate implementation (CWE-346: Origin Validation Error) in the Media Session API, which fails to properly enforce origin boundaries. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS sits at 0.02% (4th percentile), consistent with low observed exploitation activity.
Technical ContextAI
The Media Session API is a browser feature that allows web pages to provide metadata about media playback (title, artist, artwork) and handle media control actions from the OS or browser UI. CWE-346 (Origin Validation Error) indicates the implementation fails to correctly validate that cross-origin access attempts are rejected - a fundamental contract of the Same-Origin Policy (SOP). In Chrome's architecture, Media Session logic lives in the renderer process; an improper origin check here can allow one origin to influence or read state belonging to another. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) confirms this is a network-delivered, low-complexity attack requiring only a single user interaction (visiting the page), with no privileges needed. Affected product per EUVD: Chrome versions in the range < 149.0.7827.53.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later, which is confirmed as the vendor-released patch per the Chrome stable channel update blog at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates for most users; administrators managing enterprise deployments should verify rollout via Google Admin Console or their software management tooling. If immediate patching is not possible, a compensating control is to restrict user access to untrusted web content via browser policy (URL allowlisting), though this significantly impacts normal browsing. Disabling JavaScript broadly would also prevent exploitation of crafted HTML pages but is operationally impractical in most environments. The chromium issue tracker entry at https://issues.chromium.org/issues/502633299 may provide additional technical detail once the disclosure embargo lifts.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34642
GHSA-rc7x-69vh-7p5q