Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
AnalysisAI
Navigation restriction bypass in Google Chrome DevTools (all versions prior to 149.0.7827.53) enables circumvention of browser navigation controls through a crafted malicious Chrome Extension. Exploitation requires convincing a target user to install the malicious extension, placing this firmly in social-engineering territory rather than opportunistic mass exploitation. EPSS is extremely low at 0.02% (4th percentile), no public exploit code has been identified, and there is no CISA KEV listing, making this a moderate-priority integrity-only issue despite the CVSS 6.5 score.
Technical ContextAI
The vulnerability resides in Google Chrome's DevTools component - the suite of developer tools built into the browser that interfaces with extension APIs and internal browser mechanisms. The root cause is CWE-20 (Improper Input Validation): DevTools fails to sufficiently validate untrusted input originating from Chrome Extension contexts. Chrome Extensions interact with browser internals through privileged APIs; when a crafted extension supplies malformed or adversarial input to DevTools, the validation gap allows the extension to manipulate navigation restriction logic - controls that normally govern where the browser is permitted to navigate. Affected product per EUVD (EUVD-2026-34650) and NVD CPE data: Google Chrome < 149.0.7827.53 across all supported desktop platforms.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later immediately - this is the vendor-released patch confirmed by the Stable Channel Update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates by default, so most consumer endpoints will receive the fix without manual intervention; verify update status via chrome://settings/help. As a compensating control for enterprise environments, deploy Chrome Enterprise policies to restrict extension installation: use ExtensionInstallBlocklist (*) combined with ExtensionInstallAllowlist to permit only approved extensions - this directly eliminates the attack's prerequisite (malicious extension installation) and is effective even on unpatched endpoints, though it adds operational overhead for managing the allowlist. Alternatively, ExtensionInstallSources can be locked to the Chrome Web Store only, reducing but not eliminating risk since Web Store review is not a perfect gate. Do not rely on user-level security awareness training alone as the primary control.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34650
GHSA-3h77-7xw7-872m