Skip to main content

Google Chrome CVE-2026-13949

| EUVDEUVD-2026-40637 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-v8pr-jqpj-qm7g
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted HTML requiring user visit; no privileges needed; impact is confidentiality-only from process memory read with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:30 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Insufficient policy enforcement in the Payments component of Google Chrome on Android prior to 150.0.7871.47 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a specially crafted HTML page, making this a user-interaction-dependent, network-delivered information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page exploiting Payments policy gap
Delivery
Host page on attacker-controlled server
Exploit
Deliver link to Android Chrome user via phishing or malvertising
Execution
Victim navigates to page in Chrome on Android
Persist
Policy enforcement bypass triggers memory read in Payments subsystem
Impact
Sensitive process memory data exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively visit a crafted HTML page in Google Chrome on Android (UI:R per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 and highlights a network-reachable, low-complexity flaw requiring no privileges but mandating user interaction - the victim must navigate to an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page designed to trigger Chrome's Payments policy enforcement bypass and serves it via a phishing link or malicious advertisement. When an Android Chrome user visits the page, the policy gap allows the page's renderer to read sensitive regions of Chrome process memory - potentially including cached payment card data or autofill credentials stored in memory. …
Remediation Update Google Chrome on Android to version 150.0.7871.47 or later - this is the vendor-confirmed patched release per the Chrome stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy