Skip to main content

Google Chrome CVE-2026-13964

| EUVDEUVD-2026-40652 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-8vph-c3qm-569r
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network delivery via crafted page (AV:N), no authentication needed (PR:N), user must load page (UI:R); only integrity is impacted through navigation bypass (I:H, C:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 18:51 vuln.today
CVSS changed
Jul 02, 2026 - 16:37 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in WebView in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Navigation restriction bypass in Google Chrome's WebView component on Android (all versions prior to 150.0.7871.47) allows remote unauthenticated attackers to circumvent enforcement of navigation policies via a specially crafted HTML page, producing high integrity impact with no confidentiality or availability consequence. The CVSS vector (PR:N, UI:R) confirms unauthenticated network exploitation gated on victim interaction, consistent with a social-engineering or malicious-redirect delivery. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page exploiting WebView policy gap
Delivery
Deliver crafted URL to Android victim via phishing or redirect
Exploit
Victim taps link and loads page in Chrome Android
Execution
Trigger insufficient policy enforcement in WebView
Impact
Bypass navigation restrictions to unauthorized target

Vulnerability AssessmentAI

Exploitation Exploitation requires the target device to be running Google Chrome on Android at a version prior to 150.0.7871.47. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score reflects a network-reachable, low-complexity flaw requiring no authentication but mandating user interaction (UI:R), with a scoped integrity-only impact (I:H, C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page that abuses the WebView navigation policy gap and distributes a link via phishing email, SMS, or a compromised website. When an Android user running Chrome prior to 150.0.7871.47 taps the link and the page loads in WebView, the attacker's crafted content triggers the policy bypass, redirecting WebView navigation to an unauthorized destination - potentially bypassing domain restrictions or content security controls enforced by an embedding application. …
Remediation Upgrade Google Chrome on Android to version 150.0.7871.47 or later, which contains the vendor-released patch per the stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy