Skip to main content

Google Chrome CVE-2026-14039

| EUVDEUVD-2026-40726 MEDIUM
Origin Validation Error (CWE-346)
2026-06-30 chrome-cve-admin@google.com GHSA-97m6-c5rg-v543
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network delivery via crafted web page (AV:N, AC:L), active victim visit required (UI:R), no attacker privileges needed (PR:N), impact limited to low integrity within browser scope only (I:L, C:N, A:N, S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 14:32 vuln.today
CVSS changed
Jul 01, 2026 - 14:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3

DescriptionCVE.org

Insufficient policy enforcement in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page on attacker-controlled origin
Delivery
Lure or redirect victim to page via phishing or ad network
Exploit
Victim loads page in unpatched Chrome
Execution
GetUserMedia policy enforcement bypassed
Persist
Same-origin restrictions circumvented
Impact
Limited cross-origin integrity impact achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete prerequisites: the victim must be running Google Chrome prior to version 150.0.7871.47, and the victim must actively navigate to or be redirected to a crafted HTML page controlled by the attacker (UI:R per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N reflects a network-reachable, low-complexity attack requiring no attacker privileges but mandating victim interaction (visiting a crafted page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a crafted HTML page that invokes the GetUserMedia API in a manner that exploits Chrome's insufficient origin policy enforcement. A victim running an unpatched Chrome browser is directed to the page via phishing link or malicious advertisement, triggering the same-origin policy bypass and permitting the attacker's page to perform limited cross-origin integrity actions not otherwise permitted. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, as documented in Google's stable channel advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy