Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Same-origin policy bypass in the PreviewTab component of Google Chrome for Android (versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin isolation and corrupt content integrity. Exploitation requires social engineering - the victim must visit a crafted HTML page and be manipulated into performing specific UI gestures within the PreviewTab interface. The CVSS vector scores high integrity impact (I:H) with no confidentiality or availability impact, indicating an attacker can alter or inject content across origin boundaries but cannot directly exfiltrate data. No public exploit code or CISA KEV listing has been identified; EPSS sits at 0.02% (4th percentile), reflecting very low current exploitation probability.
Technical ContextAI
The affected component is PreviewTab, a Chrome for Android UI feature that allows users to preview linked pages before fully navigating. The root cause is classified under CWE-346 (Origin Validation Error), meaning the browser fails to properly enforce same-origin policy (SOP) checks within this feature's policy enforcement layer. SOP is the foundational browser security boundary that prevents scripts on one origin from accessing or modifying resources belonging to a different origin. When PreviewTab insufficiently validates origin context - for instance, failing to isolate the preview's browsing context from the initiating page's origin - a crafted HTML page can exploit the gap to influence cross-origin content. This class of bug is Android-specific, tied to the mobile Chrome UI surface rather than the shared Chromium rendering engine core. The fix is confirmed available in Chrome 149.0.7827.53 for Android per the vendor's stable channel release advisory.
RemediationAI
The primary fix is to update Google Chrome for Android to version 149.0.7827.53 or later, which is confirmed available via the vendor's stable channel release. Users should apply this update through the Google Play Store. The vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html provides confirmation of the fix. No patch is required for desktop Chrome platforms as this vulnerability is Android-specific. If immediate patching is not feasible, a practical compensating control is to disable or avoid using the PreviewTab feature through Chrome flags (chrome://flags), which removes the vulnerable UI surface entirely; this may degrade link preview functionality but eliminates the attack vector. Restricting access to untrusted or unknown URLs through enterprise mobile device management (MDM) policy can also reduce exposure for managed Android fleets.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34687
GHSA-qf3m-3w2w-q7r8