Skip to main content

Google Chrome Android CVE-2026-13939

| EUVDEUVD-2026-40625 LOW
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-gcx4-xh62-vw52
3.1
CVSS 3.1 · Vendor: google

Severity by source

Vendor (google) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

AC:H reflects mandatory renderer pre-compromise; UI:R for required user interaction; I:L for UI spoofing only; no confidentiality or availability impact applies.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 22:30 vuln.today
CVSS changed
Jul 01, 2026 - 20:22 NVD
3.1 (LOW)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's WebShare implementation on Android allows a remote attacker who has already compromised the renderer process to deceive users via a malicious HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise Chrome renderer via separate vulnerability
Delivery
Serve crafted HTML page to victim
Exploit
Invoke WebShare API with unsanitized malicious input
Execution
Renderer passes spoofed data to Android native share dialog
Persist
Victim deceived by spoofed sharing UI
Impact
Unintended data disclosure or action

Vulnerability AssessmentAI

Exploitation Exploitation requires two distinct preconditions: first, the attacker must have already compromised the Chrome renderer process on the victim's Android device (a significant prerequisite, typically requiring a separate sandbox-level vulnerability); second, the victim must actively interact with a crafted HTML page (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals converge on low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already achieved renderer process compromise in Chrome for Android - for example via a separate memory corruption vulnerability in the browser's rendering engine - could serve a crafted HTML page that invokes the WebShare API with manipulated content. The malicious share dialog could be crafted to spoof a trusted application's sharing prompt, potentially tricking the user into sharing sensitive data with an unintended destination or taking an unintended action. …
Remediation Update Google Chrome on Android to version 150.0.7871.47 or later; this is the vendor-confirmed patched release per the Chrome stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy