Skip to main content

Google Chrome CVE-2026-14045

| EUVDEUVD-2026-40732 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-v7xc-8mfr-8qcx
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Renderer-process compromise is a hard prerequisite raising AC to H; confidentiality impact is partial (cross-origin data leak only), no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 14:33 vuln.today
CVSS changed
Jul 01, 2026 - 14:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3

DescriptionCVE.org

Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a specially crafted HTML page. This is a chained vulnerability - renderer-process compromise is a hard prerequisite, meaning real-world risk is substantially lower than the network-accessible CVSS vector implies. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver malicious webpage to victim
Delivery
Exploit separate renderer-process vulnerability
Exploit
Gain code execution in renderer sandbox
Execution
Craft malformed network input triggering CWE-20 flaw
Impact
Leak cross-origin response data to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to both be satisfied: first, the attacker must have already achieved code execution within Chrome's renderer process - this is a non-trivial precondition requiring a separate renderer-level vulnerability (e.g., a memory corruption or logic flaw in V8 or Blink); second, the user must interact with a crafted HTML page (UI:R per the CVSS vector), meaning the victim must visit an attacker-controlled or compromised site during the attack window. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) captures the web-facing exposure but materially understates the attack complexity by omitting the renderer-process compromise prerequisite from the AC and PR metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate renderer-process vulnerability (e.g., a V8 type confusion bug) via a malicious webpage to gain code execution inside Chrome's renderer sandbox. With renderer control established, the attacker serves a crafted HTML page that triggers the insufficient Network-layer input validation to read and exfiltrate data from a cross-origin context - for example, session tokens or page content from a banking site open in another tab. …
Remediation The vendor-released patch is Google Chrome 150.0.7871.47, available via the stable channel update announced at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy