Skip to main content

Google Chrome CVE-2026-13933

| EUVDEUVD-2026-40619 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-88gx-5wm5-m35h
5.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AV:N for network-delivered crafted HTML; AC:H because renderer compromise is a mandatory prerequisite; UI:R for required victim navigation; C:H for potential full credential exposure; no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:28 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.3

DescriptionCVE.org

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Insufficient policy enforcement in Chrome's built-in Passwords subsystem (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to read potentially sensitive credential data from process memory via a crafted HTML page. This is a second-stage, chained information-disclosure flaw - not a standalone exploit - that bypasses Chrome's inter-process access boundaries to reach password manager data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted HTML to victim's browser
Delivery
Trigger separate renderer vulnerability
Exploit
Gain renderer process execution
Execution
Leverage policy enforcement bypass (CVE-2026-13933)
Persist
Read Passwords subsystem memory
Impact
Extract saved credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific, concurrent conditions: (1) the victim must actively visit a crafted HTML page in an unpatched Chrome browser (UI:R - passive browsing is insufficient; deliberate navigation or redirect is required), and (2) the attacker must have already achieved code execution within Chrome's renderer process through a separate, independent vulnerability (AC:H - this CVE is exclusively a second-stage component of a chained attack). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score is appropriate and reflects the genuine risk reduction imposed by AC:H (renderer compromise required) and UI:R (user must interact with a crafted page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first delivers an initial renderer-level exploit via a malicious or compromised website, gaining execution within Chrome's sandboxed renderer process on the victim's machine. Using CVE-2026-13933, the attacker then sends crafted IPC or memory access requests that bypass the Passwords subsystem's policy enforcement, reading credential data from process memory - including potentially saved usernames and passwords. …
Remediation Update Google Chrome to version 150.0.7871.47 or later - this is the confirmed vendor-released patch per the Chrome Stable Channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy