Skip to main content

Chrome for iOS EUVDEUVD-2026-40494

| CVE-2026-13808 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-v598-mr98-5866
4.6
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.6 MEDIUM

Physical device presence is the sole access requirement (AV:P); no credential or privilege needed; only confidentiality impacted via in-process memory read.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 04:31 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
4.6 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:16 cve.org
MEDIUM 4.6

DescriptionCVE.org

Insufficient data validation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via physical access to the device. (Chromium security severity: High)

AnalysisAI

Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical access to target iOS device
Delivery
Access Chrome for iOS browser process
Exploit
Trigger insufficient data validation flaw
Execution
Read sensitive data from browser process memory
Impact
Exfiltrate session tokens or credentials

Vulnerability AssessmentAI

Exploitation Physical access to the iOS device is the mandatory prerequisite - the CVSS vector AV:P confirms this is not remotely exploitable under any condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.6 (Medium) accurately reflects constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a target iOS device running an unpatched Chrome for iOS version triggers a data validation flaw in the browser process, allowing them to read memory contents that may include session tokens, saved passwords, or browsing history. No public exploit code has been identified, so exploitation would currently require independent vulnerability research to reproduce the flaw.
Remediation Update Google Chrome for iOS to version 150.0.7871.47 or later via the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy