Skip to main content

Google Chrome CVE-2026-14041

| EUVDEUVD-2026-40728 HIGH
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-30 chrome-cve-admin@google.com GHSA-499r-fh8q-qcfc
8.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
5.4 MEDIUM

Remote crafted page with required user interaction (UI:R), no auth (PR:N); impact lowered to C:L/I:L/A:N since a Serial policy-enforcement bypass is niche and Chromium rates it Low, not full-system CIA.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:33 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
8.8 (HIGH)
CVE Published
Jun 30, 2026 - 23:17 cve.org
HIGH 8.8
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Page invokes Web Serial API
Exploit
Bypass insufficient Serial policy enforcement
Execution
Escalate privileges in browser context
Impact
Access resources beyond intended permission

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a crafted HTML page in a Chrome build prior to 150.0.7871.47 - user interaction is mandatory (CVSS UI:R), so this is not a drive-by against a fully passive user in the strictest sense but needs page navigation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and must be weighed rather than taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or compromises a website and entices a victim to open it in a vulnerable Chrome build; the crafted HTML page abuses the insufficiently enforced Serial policy to gain privileges it should not have. Because the CVSS vector requires user interaction (UI:R) but no prior authentication (PR:N), the only prerequisite is getting the target to visit the page. …
Remediation Vendor-released patch: Chrome 150.0.7871.47 - upgrade to this Stable release or later, which for most users happens automatically via Chrome's background updater; confirm the version under Settings > About Google Chrome and relaunch to apply. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Chrome installations across the organization and confirm current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy