Skip to main content

Chrome Android EUVDEUVD-2026-40767

| CVE-2026-14080 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-hvw7-vx9g-h75q
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered via malicious traffic with no auth needed, but user tab interaction required; impact is integrity-only navigation bypass with no data exposure or availability loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 18:36 vuln.today
CVSS changed
Jul 01, 2026 - 18:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in TabSwitcher in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via malicious network traffic. (Chromium security severity: Low)

AnalysisAI

Navigation restriction bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker to circumvent browser navigation controls through crafted malicious network traffic targeting the TabSwitcher component. The flaw stems from insufficient input validation (CWE-20) in the tab management UI and requires user interaction to trigger, limiting its practical reach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker serves malicious network traffic
Delivery
Victim browses on Chrome for Android
Exploit
User interacts with TabSwitcher UI
Execution
Insufficient input validation triggered
Persist
Navigation restriction policy bypassed
Impact
Attacker-controlled navigation executed

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running Google Chrome on an Android device with a version prior to 150.0.7871.47 - desktop Chrome is not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects a constrained threat: while the attack vector is network-accessible and requires no authentication, exploitation depends on user interaction (UI:R) and produces only a low-integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker serving content over a network (e.g., a malicious website or a man-in-the-middle position on an untrusted Wi-Fi network) delivers crafted traffic that exploits the TabSwitcher input validation flaw in Chrome for Android. When the victim interacts with the browser's tab interface - for example, switching between tabs - the malicious input triggers a navigation restriction bypass, potentially redirecting the user to content that would normally be blocked. …
Remediation Upgrade Google Chrome on Android to version 150.0.7871.47 or later, which contains the vendor-released patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy