Skip to main content

Google Chrome CVE-2026-13990

| EUVDEUVD-2026-40678 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-cgj9-48jq-3g65
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects the mandatory renderer pre-compromise prerequisite; all other metrics align with the provided vector since no auth, no confidentiality, and no availability impact apply.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 18:36 vuln.today
CVSS changed
Jul 01, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exploitable Chrome renderer bug
Delivery
Deliver initial renderer RCE payload via crafted page
Exploit
Achieve renderer process compromise
Execution
Craft DataTransfer input to abuse validation flaw
Persist
Render spoofed UI elements in browser context
Impact
Deceive user into unintended high-impact action

Vulnerability AssessmentAI

Exploitation Exploitation requires two hard prerequisites: (1) the attacker must have already achieved compromise of the Chrome renderer process via a separate, independent vulnerability - this is not a standalone exploit; and (2) the victim must interact with a crafted HTML page (UI:R), meaning the user must actively visit or be redirected to attacker-controlled content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) overstates standalone exploitability because AC:L does not capture the renderer pre-compromise prerequisite, which is a substantial real-world complexity factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first achieves renderer process compromise through a separate Chromium vulnerability (such as a type confusion or use-after-free in the V8 engine or HTML parser), then serves a crafted HTML page that exploits the DataTransfer input validation flaw to render a convincing spoofed dialog - for example, a fake Windows security prompt or Chrome permission request - that induces the victim to approve a malicious action such as a file download, credential entry, or extension install. No public exploit code for this specific DataTransfer flaw is known at time of analysis.
Remediation Upgrade Google Chrome on all Windows endpoints to version 150.0.7871.47 or later via the stable channel update documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy