Skip to main content

Google Chrome CVE-2026-14117

| EUVDEUVD-2026-40804 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-576h-mqx3-98ph
5.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network delivery via crafted page (AV:N) but AC:H for required UI gesture sequence; C:H for process memory read; I:N and A:N as no write or crash capability is described.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:42 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.3 (None) 5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.3

DescriptionCVE.org

Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Memory disclosure via DevTools in Google Chrome on Windows (prior to 150.0.7871.47) enables a remote attacker to read sensitive process memory contents by delivering a crafted HTML page and manipulating the victim into performing specific UI gestures. The vulnerability is Windows-platform-exclusive and carries a Chromium-internal severity of Low, consistent with SSVC's assessment of no current exploitation and non-automatable delivery. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML page
Delivery
Social-engineer Windows Chrome user to visit page
Exploit
User performs prompted specific UI gestures involving DevTools
Execution
Improper input validation in DevTools triggered by crafted content
Impact
Sensitive process memory contents disclosed to attacker

Vulnerability AssessmentAI

Exploitation Target must be running Google Chrome on Windows specifically - no other platforms are affected by this advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low despite the CVSS C:H (high confidentiality impact) rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a crafted HTML page designed to trigger specific DevTools interactions and hosts it on a controlled domain, then social-engineers a Windows Chrome user - likely a developer familiar with DevTools - into visiting the page and performing a prompted sequence of UI gestures such as opening the inspector or clicking within the DevTools panel. Through the improper input validation flaw, the crafted content causes DevTools to read and expose portions of Chrome's process memory, potentially revealing session tokens, cached credentials, or other in-memory sensitive data. …
Remediation Update Google Chrome on Windows to version 150.0.7871.47 or later, as documented in the Chrome stable channel release advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy