Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Same-origin policy bypass in Google Chrome's FoldableAPIs component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data by delivering a crafted HTML page. Rated Medium (CVSS 4.7) with a Changed scope, this is a second-stage exploit primitive - not a standalone critical - requiring a pre-existing renderer compromise before it is triggerable. EPSS at 0.02% (6th percentile), SSVC exploitation status of 'none', and Google's internal 'Low' severity rating collectively confirm this is a patch-on-schedule rather than emergency-response priority. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in Chrome's FoldableAPIs, a Chromium component exposing platform-specific APIs related to foldable display device features. The root cause is CWE-20 (Improper Input Validation) - the FoldableAPIs implementation fails to sufficiently validate or enforce policy constraints at the renderer layer, allowing an already-compromised renderer to violate the Same-Origin Policy (SOP), the browser's foundational security boundary isolating content across web origins. The CVSS Scope:Changed (S:C) attribute is analytically significant: it confirms the vulnerability crosses a defined security boundary - from the compromised renderer context into broader browser-level policy enforcement - even though impact is limited to partial confidentiality (C:L). Affected versions span all Chrome Desktop releases prior to 149.0.7827.53, as confirmed by the ENISA EUVD entry EUVD-2026-34694. No CPE string was provided in the input data.
RemediationAI
The primary fix is to update Google Chrome to version 149.0.7827.53 or later; this is a vendor-released patch confirmed by both the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html) and the ENISA EUVD entry EUVD-2026-34694. Chrome auto-updates by default - administrators managing enterprise fleets should verify that endpoints have received the update via their browser management console (e.g., Google Admin, Tanium, or equivalent). As a compensating control specifically relevant to this vulnerability's prerequisites, enforcing strict site isolation via the Chrome enterprise policy 'SitePerProcess' reduces the blast radius of any renderer-compromise exploit that could chain into this bypass; note this policy may increase memory usage in environments with many open tabs. Organizations unable to patch immediately should audit whether FoldableAPIs-adjacent features are in active use and consider blocking access to foldable-device-specific API endpoints via Content Security Policy where feasible, though the trade-off is potential breakage of legitimate foldable device experiences.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34694
GHSA-r3q4-gcgj-mfrp