Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)
AnalysisAI
Integer overflow in the WebView component of Google Chrome on Android (prior to 149.0.7827.53) allows a local, low-privileged attacker to crash the application via a crafted malicious file, resulting in a denial of service. The attack requires user interaction - the victim must open or process the malicious file through a WebView-rendered surface. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates extremely low real-world exploitation probability; the vendor has rated this Low severity.
Technical ContextAI
WebView is an Android system component that embeds a Chromium-based browser engine inside native Android applications, allowing apps to render web content inline. The vulnerability is an integer overflow in this component, meaning an arithmetic operation produces a value exceeding the bounds of its integer type, leading to unexpected behavior - in this case, a crash causing denial of service. The assigned CWE is CWE-472 ('External Control of Assumed-Immutable Web Parameter'), which describes a mismatch from the stated 'integer overflow' root cause; CWE-190 ('Integer Overflow or Wraparound') would be the canonical classification for this type of flaw. This discrepancy between the natural language description and the CWE tag is a notable inconsistency that should be verified against Chromium bug tracker issue 502264647. Affected product is Google Chrome for Android, specifically all versions of the browser's WebView implementation prior to the 149.0.7827.53 stable channel release.
RemediationAI
Upgrade Google Chrome on Android to version 149.0.7827.53 or later, as confirmed by the vendor's stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Users should update via the Google Play Store. Since the vulnerability requires local access and user interaction with a malicious file, organizations with managed Android fleets can reduce exposure in the interim by applying mobile device management (MDM) policies that restrict sideloading of untrusted files and limit the sources from which files can be opened in Chrome WebView. Disabling or restricting WebView usage in enterprise applications for untrusted content sources is a targeted compensating control, though this may break functionality in apps that depend on WebView for core features. Given the low severity and lack of known public exploitation, patching through normal update cycles is appropriate rather than emergency response.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34751
GHSA-32x7-f6p3-x83q