Skip to main content

Google Chrome CVE-2026-13021

| EUVDEUVD-2026-39036 MEDIUM
Origin Validation Error (CWE-346)
2026-06-24 Chrome GHSA-xrw9-98j7-cc8w
4.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered via crafted HTML requiring active user visit (UI:R); SOP bypass yields only limited cross-origin data read with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:39 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page exploiting DBSC origin flaw
Delivery
Host or inject page accessible to target
Exploit
Lure victim to load page via phishing or malvertising
Execution
Browser executes page in unpatched Chrome
Persist
Incorrect origin validation in DBSC triggers SOP bypass
Impact
Attacker reads limited cross-origin session credential data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim be using Google Chrome prior to version 149.0.7827.197 - Chrome is the only confirmed affected software. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 Medium (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) reflects a network-reachable, low-complexity attack requiring no privileges but requiring user interaction, with only partial confidentiality impact and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page that sends specially formed requests leveraging the flawed DeviceBoundSessionCredentials origin validation to access or influence session credential data bound to a different origin. A victim using an unpatched Chrome version visits the attacker-controlled page - through a phishing link, malicious ad, or compromised site - and the browser's incorrect origin check allows limited cross-origin data to be read by the attacker's page. …
Remediation The primary fix is to update Google Chrome to version 149.0.7827.197 or later, which contains the corrected DeviceBoundSessionCredentials implementation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy