Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.
Technical ContextAI
CWE-346 (Origin Validation Error) indicates that Chrome's iOS implementation fails to correctly enforce same-origin policy (SOP) checks in at least one code path. SOP is the foundational browser security boundary preventing scripts in one origin (scheme+host+port) from reading or writing data belonging to another origin. The affected component is specific to Chrome's iOS port - likely a WebKit-layer interaction or a custom iOS rendering/navigation path - distinguishing it from Chromium's standard Blink-based desktop implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms the attack is fully network-delivered, requires no privilege, and results in limited integrity impact with no confidentiality or availability loss. The affected CPE range is Google Chrome on iOS versions below 149.0.7827.53 per EUVD-2026-34759.
RemediationAI
Update Google Chrome on iOS to version 149.0.7827.53 or later via the Apple App Store. This is the vendor-released patch as confirmed by the Chrome Releases advisory (chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html) and the Chromium issue tracker (issues.chromium.org/issues/502503860). Because the CVSS integrity impact is limited (I:L) and EPSS is at the 4th percentile, emergency rollout is unlikely warranted; inclusion in the next scheduled mobile endpoint management patch cycle is appropriate for most organizations. No workarounds or compensating controls are documented by the vendor. For organizations unable to update immediately, restricting users from opening untrusted HTML links in Chrome for iOS (e.g., via MDM policy enforcing Safari as the default browser, or user awareness guidance) reduces exposure surface, but carries usability trade-offs.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34759
GHSA-hfpq-rxj4-wgm5