Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: Medium)
AnalysisAI
Same-origin policy bypass in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) allows an attacker who socially engineers a user into installing a crafted malicious extension to violate cross-origin boundaries, enabling unauthorized integrity impact against content from other origins. The CVSS vector (I:H, C:N) confirms the impact is write/modify-only - sensitive data exfiltration is not a direct consequence. No public exploit code or active exploitation has been identified at time of analysis; EPSS is negligible at 0.01% (1st percentile), consistent with the social-engineering prerequisite limiting mass exploitation.
Technical ContextAI
The root cause is classified as CWE-346 (Origin Validation Error), an inappropriate implementation within Chrome's Extensions API that fails to correctly enforce same-origin policy (SOP) restrictions for crafted extensions. SOP is a foundational browser security boundary preventing scripts loaded from one origin from accessing or modifying resources belonging to another. Chrome extensions operate in a privileged context with access to tabs, content scripts, and cross-origin messaging APIs, making defects in how the extension sandbox validates origin boundaries particularly dangerous. The flaw allows a specially crafted extension to exploit this implementation gap and bridge origin isolation that Chrome's security model is designed to enforce. Affected product is Google Chrome for desktop, all builds prior to stable release 149.0.7827.53, as confirmed by ENISA EUVD-2026-34497.
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later, as confirmed by the vendor's stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates by default; verify the installed version via chrome://settings/help. As a targeted compensating control prior to or alongside patching, enforce extension installation policies through Chrome Enterprise or Google Admin Console to restrict users to an approved allowlist of extensions - this directly eliminates the attack vector by preventing malicious extension installation. The trade-off is reduced user autonomy around extension choice. Organizations without enterprise management should instruct users to install extensions only from trusted, vetted sources and to reject unsolicited extension installation prompts.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34497
GHSA-mx9q-p75x-m88c