Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's Network implementation prior to version 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a victim to a crafted HTML page. Rooted in CWE-346 (Origin Validation Error), the flaw permits the Network component to expose data across origin boundaries that same-origin policy should protect. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS of 0.03% (11th percentile) places real-world exploitation probability as very low at time of analysis.
Technical ContextAI
The vulnerability resides in Chrome's Network layer, classified under CWE-346 (Origin Validation Error), meaning the browser fails to properly enforce origin validation on network-level responses or requests. The same-origin policy is a cornerstone browser security boundary; when network-handling logic improperly validates or bypasses origin checks, attackers can craft HTML pages that coerce the browser into retrieving and exposing cross-origin resources. This is consistent with class-level bugs such as side-channel leaks, CORS policy mishandling, or improper response routing in fetch/XHR pipelines. The affected product is Google Chrome prior to 149.0.7827.53 across desktop platforms (Windows, macOS, Linux), as identified via the ENISA EUVD affected version range 'Chrome 149.0.7827.53 < 149.0.7827.53' and the Chromium stable channel advisory.
RemediationAI
Update Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released patch per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome typically auto-updates, but administrators should verify deployment via fleet management tools. For environments where immediate patching is not possible, a compensating control is to restrict access to untrusted or external web content through enterprise browser policies (e.g., blocking navigation to non-allowlisted domains), accepting the trade-off of reduced browsing functionality. User awareness training to avoid clicking unknown links reduces the UI:R trigger surface but is not a technical control. No workaround fully eliminates the vulnerability; patching to 149.0.7827.53 is the authoritative remediation.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34655
GHSA-vxcg-jvmf-23hg