Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's MHTML implementation prior to version 149.0.7827.53 exposes sensitive user data to remote attackers via crafted HTML pages. The flaw stems from improper origin validation (CWE-346) in MHTML handling, allowing an attacker-controlled page to read data across origin boundaries - a significant breach of the browser's same-origin policy. Exploitation requires convincing a victim to perform specific UI gestures, and no public exploit or active exploitation has been identified at time of analysis; EPSS probability is very low at 0.03% (11th percentile).
Technical ContextAI
MHTML (MIME HTML, RFC 2557) is a web archive format that bundles HTML documents with embedded resources (images, scripts, stylesheets) into a single MIME-encoded file. Google Chrome's MHTML processing component contained an 'inappropriate implementation' - classified under CWE-346 (Origin Validation Error) - meaning the engine failed to correctly enforce that cross-origin resources cannot be read by a requesting page. This breaks the fundamental browser Same-Origin Policy (SOP) contract. The affected product is Google Chrome across desktop platforms prior to stable release 149.0.7827.53, as confirmed by EUVD-2026-34656 and Google's Chrome Releases advisory. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates the vulnerability is exploitable over the network, requires no authentication, but does require user interaction, with high confidentiality impact and no impact on integrity or availability.
RemediationAI
The primary remediation is to upgrade Google Chrome to version 149.0.7827.53 or later, which contains the vendor-released fix as documented in the Google Chrome Releases blog at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism should deliver this update to most users without manual intervention; administrators managing enterprise deployments should push the update via policy. As a compensating control where immediate patching is not possible, consider blocking or disabling MHTML file handling at the enterprise proxy or endpoint level, though this may break legitimate use of .mht/.mhtml web archive files. Additionally, security awareness guidance discouraging users from performing unexpected UI gestures on unfamiliar web pages can reduce exploitation surface, though this is not a technical control and has limited reliability. No significant side effects of the patch itself have been reported.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34656
GHSA-jcc7-f4j6-p6gf