Skip to main content

Google Chrome EUVDEUVD-2026-40562

| CVE-2026-13876 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-30 chrome-cve-admin@google.com GHSA-wx7c-5g9f-68r4
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AC raised to High because 'privileged network position' (MiTM) is an explicit prerequisite; all other metrics follow the description directly.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:41 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to bypass content security policy via malicious network traffic. (Chromium security severity: Medium)

AnalysisAI

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain privileged network position (MiTM)
Delivery
Intercept victim's Chrome network traffic
Exploit
Inject crafted malicious network responses
Execution
Trigger Chrome's improper CSP implementation
Persist
Bypass Content Security Policy enforcement
Impact
Load unauthorized scripts or exfiltrate data

Vulnerability AssessmentAI

Exploitation Exploitation strictly requires that the attacker hold a privileged network position - the ability to intercept and inject traffic between the victim's Chrome browser and a web server (e.g., ARP spoofing, rogue access point, compromised gateway, or BGP-level hijack). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N scores 6.5 (Medium), but the AC:L assignment arguably understates the real-world difficulty: the description explicitly requires an 'attacker in a privileged network position,' which in practice means MiTM capability - a non-trivial prerequisite that is better reflected by AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating as a man-in-the-middle on a network segment the victim traverses - for example via a rogue Wi-Fi access point or ARP spoofing on a corporate LAN - intercepts Chrome's HTTP or HTTPS negotiation and injects crafted network responses that exploit the improper CSP implementation. When the victim browses to any web page (the required user interaction), Chrome processes the manipulated traffic and loads attacker-controlled resources that CSP policy should have blocked, enabling script injection or unauthorized data access. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, which contains the vendor-released patch per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy