Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Physical device presence is the sole access requirement (AV:P); no credential or privilege needed; only confidentiality impacted via in-process memory read.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient data validation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via physical access to the device. (Chromium security severity: High)
AnalysisAI
Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Physical access to the iOS device is the mandatory prerequisite - the CVSS vector AV:P confirms this is not remotely exploitable under any condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.6 (Medium) accurately reflects constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access to a target iOS device running an unpatched Chrome for iOS version triggers a data validation flaw in the browser process, allowing them to read memory contents that may include session tokens, saved passwords, or browsing history. No public exploit code has been identified, so exploitation would currently require independent vulnerability research to reproduce the flaw. |
| Remediation | Update Google Chrome for iOS to version 150.0.7871.47 or later via the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40494
GHSA-v598-mr98-5866