Skip to main content

Google Chrome CVE-2026-14135

| EUVDEUVD-2026-40822 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-7r54-w6p6-rv2x
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

Renderer-process compromise is a substantial prerequisite that raises AC to H; no victim-side authentication required; impact is limited to UI spoofing with no availability component.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:08 vuln.today
CVSS changed
Jul 01, 2026 - 16:07 NVD
5.4 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 nvd
MEDIUM 5.4

DescriptionNVD

Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's Network component (versions prior to 150.0.7871.47) can be triggered by a remote attacker who has already compromised the renderer process, allowing browser UI elements to be faked via a crafted HTML page. This is a chained exploit - not a standalone flaw - requiring both prior renderer compromise and user interaction, which significantly constrains real-world risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise Chrome renderer via separate browser exploit
Delivery
Deliver crafted HTML page to victim browser
Exploit
Submit malformed input through Network component
Execution
Bypass insufficient input validation
Persist
Spoof browser UI elements (address bar, origin indicator)
Impact
Deceive victim into trusting attacker-controlled content

Vulnerability AssessmentAI

Exploitation Exploitation requires two chained prerequisites: (1) the attacker must have already achieved renderer-process compromise in the victim's Chrome browser - a significant prerequisite typically requiring a separate, distinct browser vulnerability to be exploited first; and (2) the victim must actively visit or be redirected to a crafted HTML page (user interaction required, consistent with UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) presents an incomplete picture by using AC:L, which does not capture the substantial implicit prerequisite of renderer-process compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has separately exploited a renderer-process vulnerability in the victim's Chrome browser delivers a crafted HTML page that passes malformed input through the Network component, exploiting the insufficient validation to spoof UI elements such as the origin indicator or address bar. The victim, presented with a convincing spoofed browser UI suggesting a trusted site, may submit credentials or sensitive data to an attacker-controlled destination. …
Remediation Update Google Chrome to version 150.0.7871.47 or later; this is the vendor-confirmed fix per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy