Skip to main content

Google Chrome EUVDEUVD-2026-40779

| CVE-2026-14092 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-30 chrome-cve-admin@google.com GHSA-jhfh-9hjr-wg99
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

AC:H reflects the privileged network position prerequisite (on-path MITM); all other metrics align with the provided vector - PR:N, UI:R, C:L only.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 17:29 vuln.today
CVSS changed
Jul 01, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3

DescriptionCVE.org

Insufficient policy enforcement in Privacy in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 enables an on-path network adversary to bypass Chrome's privacy policy enforcement and observe data belonging to a different origin via crafted malicious network traffic. The flaw is classified as CWE-693 (Protection Mechanism Failure), indicating Chrome's privacy isolation layer fails to correctly enforce cross-origin restrictions under certain network conditions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain privileged on-path network position
Exploit
Inject crafted malicious network traffic toward victim
Execution
Trigger Chrome privacy policy enforcement failure
Impact
Leak cross-origin response data to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a privileged network position - specifically, the ability to inject or intercept network traffic between the victim's browser and the remote server (e.g., via ARP spoofing, rogue access point, BGP hijack, or ISP-level interception). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.3 (Medium) reflects a genuinely limited impact: C:L with no integrity or availability consequence, and UI:R constraining passive exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a rogue wireless access point at a public venue, or positioned at the network edge via ARP poisoning on a corporate LAN, injects crafted HTTP or HTTPS-adjacent network responses while the victim browses normally in Chrome. The malicious traffic triggers Chrome's insufficient privacy policy enforcement, causing the browser to leak cross-origin response data - such as the contents of a framed resource or a cross-origin fetch - back to the attacker's vantage point. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, which is confirmed as the vendor-released patch per the Google Chrome Stable Channel Update advisory at chromereleases.googleblog.com. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy