Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An implementation flaw in the Passwords feature of Google Chrome allows a remote attacker who convinces a user to perform specific UI gestures to cause the browser to unintentionally expose data that should remain confined to its origin. The vulnerability is categorized as a high severity security issue by Chromium, indicating that sensitive information could be accessed by the attacker. It directly exploits a weakness related to unintended control flow, which is represented as CWE-451, and the resulting impact is the leakage of data across origins, compromising confidentiality.

Affected Systems

Google Chrome versions prior to 149.0.7827.155 are affected. This includes all desktop operating systems where the Chrome browser is installed and has not yet received the 149.0.7827.155 release or later. The flaw does not apply to Chrome builds that have incorporated the fix for 149.0.7827.155 or newer, nor to other browsers.

Risk and Exploitability

The CVSS score of 3.1 indicates a low overall severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. The attack requires a user to interact with a maliciously crafted HTML page that triggers specific UI gestures; thus the attacker must persuade or trick the user into performing the required gestures. Even if exploited, the impact is limited to leakage of cross-origin data and does not provide arbitrary code execution or system compromise.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.155 or later to incorporate the vendor‑supplied fix.
  • Deploy a policy or extension that restricts JavaScript execution on unknown or untrusted web pages to reduce the likelihood of successful UI‑gesture based leakage.
  • Educate users to avoid clicking or interacting with suspicious or unexpected UI prompts that may be part of malicious web content.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:50:15.347Z

Reserved: 2026-06-16T19:38:30.749Z

Link: CVE-2026-12458

cve-icon Vulnrichment

Updated: 2026-06-17T10:50:10.514Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information