Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Cross-origin data leakage via Chrome's CustomTabs component on Android exposes confidential web content to attackers who can deliver a crafted HTML page to a victim. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. Despite Chromium's internal 'Low' severity rating, the CVSS confidentiality impact is scored High (C:H), and user interaction is required (UI:R) - meaning exploitation depends on a victim opening attacker-controlled content. No public exploit code exists and no active exploitation has been identified; EPSS at 0.01% (1st percentile) corroborates low near-term exploitation likelihood.
Technical ContextAI
CustomTabs is a Chrome for Android API that allows third-party applications to open web content within a Chrome-rendered browser session while retaining app UI context. The vulnerability is rooted in CWE-346 (Origin Validation Error), a class of flaws where the implementation fails to adequately verify or enforce the origin boundary of content or data. In this case, an inappropriate implementation within the CustomTabs subsystem permits a crafted HTML page to read or infer data belonging to a different origin - violating the Same-Origin Policy. The affected component is specific to the Android platform; desktop Chrome is not implicated. The exact CPE from EUVD-affected-version data is Google Chrome on Android versions prior to 149.0.7827.53.
RemediationAI
The vendor-released patch is Chrome for Android version 149.0.7827.53, confirmed via the Chromium stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Users and administrators should update Chrome on Android devices to 149.0.7827.53 or later through the Google Play Store or managed MDM update policies. If immediate patching is not possible, a compensating control is to restrict or disable third-party application use of the CustomTabs API for apps handling sensitive cross-origin sessions - this limits the attack surface to the Chrome browser itself rather than embedded contexts. Additionally, user awareness to avoid visiting untrusted HTML pages reduces the UI:R prerequisite. Note that restricting CustomTabs may break app functionality for applications that rely on it for in-app browsing.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34739
GHSA-3483-cg54-gpx2