Skip to main content

Google Chrome CVE-2026-13800

| EUVDEUVD-2026-40486 HIGH
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-pg94-6h4v-f6ph
7.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local attacker needs no prior privileges (PR:N) but a malicious file and user interaction (AV:L, UI:R); successful escalation yields full OS-level compromise, so C/I/A all High.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:23 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
7.8 (HIGH)
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:16 cve.org
HIGH 7.8

DescriptionCVE.org

Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

AnalysisAI

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain unprivileged local access on Windows host
Delivery
Plant malicious file for Chrome Updater
Exploit
Trigger updater path via required user interaction
Execution
Updater mishandles file at high privilege
Persist
Execute code as OS/SYSTEM
Impact
Escalate to full host control

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the Windows host and involves the Chrome Updater component processing an attacker-supplied malicious file, per the description; the CVSS vector also mandates user interaction (UI:R), so some victim/user action is needed to trigger the vulnerable update path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine but not urgent local-privilege-escalation issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already has an unprivileged foothold on a Windows workstation plants a malicious file in a location the Chrome Updater trusts and induces the required user action, causing the elevated updater process to consume it and execute attacker-controlled logic at OS level. This turns a limited user session into SYSTEM-level control, a common escalation step after phishing or malware delivery. …
Remediation Vendor-released patch: update Google Chrome on Windows to 150.0.7871.47 or later via the June 2026 Stable Channel update (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html), then fully restart the browser so the elevated Updater component is replaced. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory scan of all Windows systems to identify Chrome installations prior to version 150.0.7871.47. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy