Description
Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-11
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome for Android, versions before 149.0.7827.115 have an inappropriate implementation in the passwords feature that may allow a remote attacker who has compromised the renderer process to bypass site isolation by loading a specially crafted HTML page. The vulnerability is mapped to CWE-1100 (Improper Handling of Arbitrary Inputs) and CWE-346 (Improper Verification of Cryptographic Checksum).

Affected Systems

Google Chrome on Android, all releases earlier than version 149.0.7827.115, as identified by the vendor and product data.

Risk and Exploitability

The attack requires an attacker to first gain control of the renderer process, after which the crafted HTML page can lift the isolation boundary. The EPSS score of <1% indicates a low probability of active exploitation. The CVSS score of 3.1 indicates a moderate risk level, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 22, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on all Android devices to version 149.0.7827.115 or later to eliminate the password module flaw.
  • Temporarily disable Chrome's password autofill features via Settings — turn off Autofill: Passwords or delete stored passwords — until the patch is deployed.
  • Ensure devices are set to receive automatic Chrome updates and verify the patch is installed immediately once available.

Generated by OpenCVE AI on June 22, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6344-1 chromium security update
History

Mon, 22 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Mon, 22 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Inappropriate implementation  Passwords
Weaknesses CWE-1100
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 12 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Site isolation bypass in Chrome Passwords via compromised renderer

Fri, 12 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 11 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Site isolation bypass in Chrome Passwords via compromised renderer
Weaknesses CWE-285

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-12T01:34:43.260Z

Reserved: 2026-06-11T18:16:08.674Z

Link: CVE-2026-12032

cve-icon Vulnrichment

Updated: 2026-06-12T01:34:08.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T22:16:55.773

Modified: 2026-06-12T18:05:11.093

Link: CVE-2026-12032

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-11T20:48:13Z

Links: CVE-2026-12032 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:00:06Z

Weaknesses
  • CWE-1100

    Insufficient Isolation of System-Dependent Functions

  • CWE-346

    Origin Validation Error