Skip to main content

Chrome Android CVE-2026-13866

| EUVDEUVD-2026-40552 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-4wj6-h6wx-47r8
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
8.0 HIGH

AC:H because prior renderer compromise is required; S:C and C:H because site isolation bypass enables read access to cross-origin data, constituting a scope change.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:40 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Inappropriate implementation in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome renderer vulnerability
Delivery
Achieve code execution in renderer process
Exploit
Serve crafted HTML page to victim browser
Execution
Trigger improper input handling flaw
Persist
Break site isolation boundary
Impact
Access or modify cross-origin content

Vulnerability AssessmentAI

Exploitation Two sequential prerequisites must both be satisfied: (1) the attacker must have already compromised the Chrome renderer process on the target Android device, typically via a separate vulnerability such as a memory corruption bug in Chrome's rendering engine - this is the binding constraint and is not trivially achieved; (2) the victim must navigate to or load a crafted HTML page controlled by the attacker (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) captures the network accessibility and high integrity impact but likely underrepresents complexity and scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate renderer-level vulnerability in Chrome for Android - such as a memory corruption bug in the HTML parser or JavaScript engine - to gain code execution within the renderer process, then serves a crafted HTML page to the victim's Chrome instance. The malicious page triggers the improper input handling flaw to break Chrome's site isolation, allowing the attacker to read or tamper with data from other origins the user has open (e.g., a banking session or webmail). …
Remediation Update Google Chrome for Android to version 150.0.7871.47 or later, which is the vendor-released patch per the Chrome stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy