Skip to main content

Google Chrome EUVDEUVD-2026-36352

| CVE-2026-12032 LOW
Origin Validation Error (CWE-346)
2026-06-11 Chrome GHSA-hhvq-v5xw-j5q7
3.1
CVSS 3.1 · Vendor: Chrome

Severity by source

Vendor (Chrome) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Renderer pre-compromise drives AC:H; site isolation bypass yields only limited credential exposure so C:L; no integrity or availability impact applies.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 12, 2026 - 02:29 vuln.today
CVSS changed
Jun 12, 2026 - 02:22 NVD
3.1 (LOW)
CVE Published
Jun 11, 2026 - 20:48 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Site isolation bypass in Google Chrome for Android (versions prior to 149.0.7827.115) enables an attacker who has already achieved renderer process compromise to cross origin boundaries via a crafted HTML page, potentially exposing password data managed by the browser's Passwords component. The vulnerability is rooted in CWE-346 (Origin Validation Error) - Chrome's Passwords implementation on Android fails to properly enforce origin checks in the context of a compromised renderer. No public exploit identified at time of analysis; the low CVSS base score of 3.1 reflects that exploitation is dependent on a prior renderer compromise, making this a chained-exploitation concern rather than a standalone critical risk.

Technical ContextAI

Google Chrome's site isolation architecture is designed to ensure that pages from different origins execute in separate renderer processes, preventing one site's content from accessing another site's memory or stored credentials. CWE-346 (Origin Validation Error) indicates that the Passwords component on Android does not correctly validate the origin of requests when the renderer has been compromised, breaking this isolation boundary. The CPE string cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* confirms the affected product is Google Chrome broadly, but the description and EUVD scope this specifically to the Android platform prior to build 149.0.7827.115. This class of bug is particularly relevant to multi-process browser security models where renderer compromise is a known attacker milestone, and origin validation failures can allow lateral movement across origins within the browser context.

RemediationAI

Vendor-released patch: Chrome 149.0.7827.115 for Android. Update Google Chrome on all Android devices to version 149.0.7827.115 or later via the Google Play Store or Chrome's built-in update mechanism; this is the only confirmed fix per the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. No workarounds are documented by the vendor for this specific flaw. As a compensating control pending patch deployment, organizations managing Android device fleets via MDM can consider restricting Chrome from accessing sensitive saved credentials or enforcing Chrome password manager use through enterprise policy, though this reduces usability and does not eliminate the site isolation bypass risk. The primary defense against exploitation of this vulnerability remains preventing renderer compromise in the first place by keeping Chrome fully patched against all renderer-level vulnerabilities.

Share

EUVD-2026-36352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy