Skip to main content

Google Chrome CVE-2026-12024

| EUVDEUVD-2026-36344 MEDIUM
Origin Validation Error (CWE-346)
2026-06-11 Chrome GHSA-7mw2-6273-9cwv
Medium
Disputed · 6.5 Vendor: Chrome
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Chrome) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.1 MEDIUM

SOP bypass inherently crosses origin boundaries (S:C); limited C:L and I:L reflect partial cross-origin read/write rather than full system compromise.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
SUSE
CRITICAL
qualitative
Red Hat
6.4 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 12, 2026 - 15:23 vuln.today
CVSS changed
Jun 12, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 11, 2026 - 20:48 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.

Technical ContextAI

Google Chrome's DevTools subsystem enforces policy controls that govern cross-origin access within the browser's rendering engine. CWE-346 (Origin Validation Error) identifies the root cause: the engine fails to correctly validate the originating context before permitting certain DevTools-mediated actions, allowing cross-origin policy boundaries to be crossed. The affected CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* covers all platform variants of Chrome across Windows, macOS, and Linux prior to the 149.0.7827.115 stable release. Same-origin policy is a foundational browser security primitive; its bypass via DevTools internals is particularly sensitive because DevTools interfaces carry elevated trust within the browser process model.

RemediationAI

The primary fix is upgrading Google Chrome to version 149.0.7827.115 or later via the stable channel update, detailed at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. Chrome's auto-update mechanism will deliver this patch to most users automatically; enterprise administrators should verify forced update policies are active. As a compensating control pending patch deployment, restricting access to untrusted or unknown web pages (via browser security policy, web proxy filtering, or disabling JavaScript for untrusted zones) would reduce exposure, though this imposes significant usability trade-offs in browser-dependent environments. Disabling or restricting DevTools access via enterprise policy (e.g., DeveloperToolsDisabled=true in Chrome group policy) may reduce the attack surface but cannot be confirmed as a complete mitigation without vendor guidance on the specific DevTools code path involved.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-12024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy