Skip to main content

Google Chrome CVE-2026-14021

| EUVDEUVD-2026-40709 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-48x8-q2fp-cpc8
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects the explicit renderer-compromise prerequisite; all other metrics from provided vector are retained as accurate for the StorageAccessAPI bypass itself.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:45 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's StorageAccessAPI (prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to read storage or cookie data belonging to other origins by delivering a crafted HTML page. This is a chained attack - the StorageAccessAPI policy bypass is the second stage of a multi-step compromise, not a standalone entry point. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome renderer vulnerability
Delivery
Establish foothold in compromised renderer process
Exploit
Serve crafted HTML page to victim
Execution
Invoke StorageAccessAPI with policy-bypassing request
Persist
Bypass cross-origin isolation enforcement
Impact
Exfiltrate victim's cross-origin storage or session data

Vulnerability AssessmentAI

Exploitation Two conditions must both be met for successful exploitation: (1) the attacker must have already compromised the victim's Chrome renderer process - this is an explicit prerequisite from the CVE description and is the primary limiting factor, as modern renderer sandboxing requires its own exploit chain to breach; and (2) the victim must visit or interact with a crafted HTML page (UI:R per CVSS vector), meaning passive browsing is sufficient but the user must navigate to attacker-controlled content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, score 6.5) somewhat overstates exploitability because it does not fully account for the renderer compromise prerequisite explicitly stated in the CVE description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already exploited a separate renderer vulnerability in Chrome delivers a crafted HTML page to the victim, embedding cross-origin content that invokes the StorageAccessAPI with a malformed or policy-bypassing request. When the victim visits or interacts with the page, the compromised renderer successfully reads storage or authentication tokens belonging to a different origin - for example, session cookies from a banking site the user is concurrently logged into - and exfiltrates them to the attacker. …
Remediation Update Google Chrome to version 150.0.7871.47 or later; this is the vendor-confirmed fix as documented in the stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy