Description
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome’s WebView component allowed an attacker to craft a malicious HTML page that could be rendered on Android devices running Chrome versions prior to 149.0.7827.155. By opening such a page, the attacker could elevate their privileges on the device, potentially gaining full control of the device or accessing restricted data. The weakness corresponds to CWE-269, a failure in privileged access management.

Affected Systems

Google Chrome for Android, with affected releases below 149.0.7827.155. Users of any device running these versions are at risk, regardless of Android version, until Chrome is updated to the patched release.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% and the fact that the vulnerability is not listed in the CISA KEV catalog suggest exploitation is unlikely in the near term. The likely attack vector is a remote attacker delivering a crafted HTML page that the victim loads in Chrome, leading to privilege escalation. It requires the victim to open the malicious page, but the vulnerability is not restricted by user interaction beyond loading the page.

Generated by OpenCVE AI on June 18, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome for Android to version 149.0.7827.155 or later via Google Play or system updates.
  • Configure devices to automatically install the latest Chrome updates and verify that the patched version is active.
  • For managed environments, consider restricting or disabling WebView usage for untrusted web content to reduce the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious WebView Content in Chrome for Android

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-18T03:55:39.899Z

Reserved: 2026-06-16T19:38:27.131Z

Link: CVE-2026-12448

cve-icon Vulnrichment

Updated: 2026-06-17T13:01:13.567Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:45:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management