Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Same-origin policy bypass in Google Chrome's Network component (versions prior to 149.0.7827.53) enables a post-compromise attacker who already controls the renderer process to subvert cross-origin enforcement via a crafted HTML page. The CVSS integrity impact is rated High (I:H), but exploitation is gated behind a required renderer-process pre-compromise, substantially raising the real-world attack bar. No public exploit code exists and no CISA KEV listing is present; EPSS stands at 0.02% (6th percentile), consistent with Google's own Low severity rating for this issue.
Technical ContextAI
The vulnerability resides in Chrome's Network component - the subsystem responsible for HTTP/HTTPS request handling, cookie enforcement, and cross-origin policy decisions - and is classified under CWE-20 (Improper Input Validation). Chrome's multi-process sandbox architecture routes renderer-process network requests through IPC to the browser process, where same-origin policy is enforced. When the Network component fails to sufficiently validate untrusted input originating from the renderer, a compromised renderer can supply crafted inputs that cause SOP checks to be bypassed, enabling unauthorized cross-origin write operations. Affected product per ENISA EUVD-2026-34684 is Google Chrome versions in the range below 149.0.7827.53 on all supported desktop platforms.
RemediationAI
The primary remediation is to upgrade Google Chrome to version 149.0.7827.53 or later, as detailed in the stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates in consumer environments; enterprise administrators using Google Update or Group Policy should verify deployment of this version promptly. As a compensating control for environments delaying the update, enforcing Chrome's Site Isolation mode (--site-per-process, the current default) limits the blast radius of any renderer-level compromise that could be used to trigger this secondary bypass. Restricting users from visiting untrusted or externally supplied URLs in browser sessions that handle sensitive cross-origin data also reduces the attack surface for the required upstream renderer exploit. Note that these controls address the prerequisite stage of the attack chain rather than the specific vulnerability itself.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34684
GHSA-jp3q-3vh2-xf59