Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in DOM Distiller in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Navigation restriction bypass in Google Chrome's DOM Distiller component on iOS allows a remote attacker to circumvent page navigation controls by serving a specially crafted HTML page. Affected users are running Chrome on iOS prior to version 149.0.7827.53, and exploitation requires the victim to visit an attacker-controlled page. No public exploit identified at time of analysis and EPSS probability sits at 0.02% (4th percentile), consistent with the vendor's own 'Low' severity classification - real-world impact is limited to integrity degradation with no confidentiality or availability consequence.
Technical ContextAI
DOM Distiller is Chrome's reader-mode subsystem that parses and reformats web content into a simplified, distillation view. It operates as a privileged internal Chrome page (chrome-distiller:// scheme) and is iOS-specific in this context, meaning the flaw exists in the WebKit/Chrome-on-iOS code path rather than the Blink renderer used on desktop. CWE-284 (Improper Access Control) is the root cause class, indicating the DOM Distiller implementation fails to correctly enforce navigation boundaries - likely allowing crafted markup to redirect the distiller context to a destination that should be restricted. The affected version range is all Chrome iOS builds prior to 149.0.7827.53, as identified in the EUVD CPE data ('Chrome 149.0.7827.53 <149.0.7827.53').
RemediationAI
Vendor-released patch: Chrome 149.0.7827.53 for iOS. Users should update Chrome on iOS to version 149.0.7827.53 or later via the Apple App Store; this is the primary and recommended fix. The advisory is published at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. No workarounds are documented by the vendor. As an interim compensating control for environments where immediate update is not possible, disabling Reader Mode (DOM Distiller) by setting chrome://flags/#dom-distiller to Disabled would remove the vulnerable code path, though this trades off the reader-mode usability feature. Given the low severity and limited impact, emergency compensating controls are unlikely to be warranted for most organizations.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34735
GHSA-p57h-48hh-w845