Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AC:H reflects the mandatory prerequisite of a prior renderer compromise; all other metrics align with a network-delivered, user-interaction-required, confidentiality-only information disclosure.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in NFC in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's NFC implementation on Android exposes sensitive information to attackers who have already compromised the renderer process. Chrome versions prior to 150.0.7871.47 on Android fail to properly validate origins when handling NFC interactions, allowing a renderer-level attacker to read data across origin boundaries via a crafted HTML page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions to be simultaneously satisfied: first, the attacker must have already achieved code execution within the Chrome renderer process on the target Android device - this is not a trivial precondition and typically requires a separate, chained vulnerability such as a V8 JavaScript engine flaw or renderer memory corruption bug. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 and presents an overly optimistic attack complexity picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A targeted attacker first exploits a separate renderer-level vulnerability in Chrome on Android to gain code execution within the sandboxed renderer process. From that position, the attacker serves or injects a crafted HTML page that leverages the NFC origin validation error to read data belonging to a different origin - for example, extracting session tokens or sensitive content from a cross-origin frame the user has loaded. … |
| Remediation | Update Google Chrome on Android to version 150.0.7871.47 or later, which is confirmed to contain the fix per the vendor's stable channel update advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40573
GHSA-ww75-9mpc-wvr2