Skip to main content

Google Chrome EUVDEUVD-2026-40596

| CVE-2026-13910 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-30 chrome-cve-admin@google.com GHSA-9r7r-6r2r-9fmj
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Remote delivery via crafted page (AV:N/AC:L), no attacker privileges needed (PR:N), victim page-visit required (UI:R), confidentiality-only leakage with no integrity or availability impact (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:42 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in the WebXR implementation of Google Chrome on Android (versions prior to 150.0.7871.47) allows remote unauthenticated attackers to exfiltrate sensitive cross-origin information by enticing a victim to visit a crafted HTML page. The flaw is rooted in CWE-693 (Protection Mechanism Failure), where WebXR fails to enforce cross-origin isolation policies on Android specifically. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious WebXR HTML page
Delivery
Deliver page link to Android Chrome victim via phishing or malvertising
Exploit
Victim opens page in Chrome on Android < 150.0.7871.47
Execution
WebXR API invoked, triggering insufficient policy enforcement
Impact
Cross-origin data exfiltrated to attacker-controlled endpoint

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) the victim must be using Google Chrome on Android at a version prior to 150.0.7871.47 - other platforms (iOS Chrome, desktop Chrome) are not indicated as vulnerable; (2) the victim must visit an attacker-controlled or attacker-influenced HTML page, providing the mandatory user interaction (UI:R); and (3) WebXR API support must be available on the device, which is enabled by default on compatible Android hardware. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a website and embeds a crafted HTML page that invokes the WebXR API with parameters designed to trigger the policy enforcement gap, causing the browser to expose cross-origin resource data (such as authenticated page content or cookies readable via timing or direct API response). The victim is directed to this page via phishing email, malicious advertisement, or a compromised legitimate site visited on their Android device. …
Remediation Vendor-released patch: Chrome for Android 150.0.7871.47. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy