Skip to main content

Google Chrome CVE-2026-13926

| EUVDEUVD-2026-40612 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-fc6m-85w4-chf6
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects the mandatory pre-condition of a separately compromised renderer process; all other metrics align with the official vector.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 17:27 vuln.today
CVSS changed
Jul 01, 2026 - 17:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome renderer vulnerability
Delivery
Gain code execution in renderer process
Exploit
Serve victim crafted HTML page via attacker-controlled site
Execution
Trigger network input validation flaw in browser process
Persist
Bypass Chrome navigation restrictions
Impact
Access privileged or restricted browser-internal resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has already achieved code execution within Chrome's renderer process through a separate, independent vulnerability - this is the critical and non-trivial limiting condition; without prior renderer compromise, this vulnerability cannot be triggered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) warrants critical scrutiny: Google Chrome's scoring convention for chained browser bugs often marks the full exploitation chain as AC:L/PR:N, but the NVD description explicitly states exploitation requires the attacker to have already compromised the renderer process - a substantial prerequisite not reflected in AC:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first compromises Chrome's renderer process via a separate vulnerability - such as a V8 JavaScript engine bug or a media decoder flaw - to gain code execution within the sandboxed renderer. They then serve the compromised browser a crafted HTML page that issues malformed network navigation requests exploiting Chrome's insufficient input validation, causing the browser process to allow navigation to restricted targets such as internal chrome:// URLs or cross-origin resources normally blocked by policy. …
Remediation Update Google Chrome to version 150.0.7871.47 or later; this is the vendor-released patch confirmed in the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy