Skip to main content

Google Chrome EUVDEUVD-2026-40630

| CVE-2026-13942 LOW
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-jjj3-5mqc-gwqv
3.3
CVSS 3.1 · Vendor: google

Severity by source

Vendor (google) PRIMARY
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.3 LOW

Local-only delivery of crafted HTML, user must open page (UI:R), no data exfiltrated (C:N), integrity-only UI spoofing (I:L), no privilege needed to craft or serve the page (PR:N).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 22:31 vuln.today
CVSS changed
Jul 01, 2026 - 20:22 NVD
3.3 (LOW)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Video Capture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's Video Capture component on ChromeOS allows a local attacker to deceive users by rendering misleading interface elements through a specially crafted HTML page. Versions prior to 150.0.7871.47 on ChromeOS are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to ChromeOS device
Delivery
Craft malicious HTML page exploiting Video Capture
Exploit
Deliver page to victim user
Execution
Victim opens crafted page
Persist
Spoofed UI elements rendered
Impact
Victim deceived into unintended action

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker operate with local access to the ChromeOS device - they must be able to deliver or cause the victim to open a crafted HTML page on that device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals converge on low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with physical or shared access to a ChromeOS device crafts an HTML page that exploits the Video Capture implementation flaw to render spoofed browser UI elements - for example, fabricating a fake camera permission prompt or a misleading stream-active indicator - causing the user to take an action they would not otherwise take. No public proof-of-concept exists at time of analysis, and successful exploitation requires the victim to open the crafted page.
Remediation Update Google Chrome on ChromeOS to version 150.0.7871.47 or later, which contains the vendor-released patch for this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy