Description
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An implementation flaw in the Passwords feature of Google Chrome allows a remote attacker who convinces a user to perform specific UI gestures to cause the browser to unintentionally expose data that should remain confined to its origin. The flaw is classified as CWE-451 and CWE-940 and is identified by Chromium as a high‑severity issue, meaning sensitive information could be accessed by an attacker. The impact is limited to the leakage of cross‑origin data, compromising confidentiality but not providing code execution or broader system compromise.

Affected Systems

Google Chrome desktop versions prior to 149.0.7827.155 are affected. This includes all operating systems on which the Chrome browser is installed and has not yet received the 149.0.7827.155 release or newer. Chrome builds that contain the fix for 149.0.7827.155 or later are not affected, nor are browsers other than Chrome.

Risk and Exploitability

The CVSS score of 3.1 indicates a low overall severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to convince a user to interact with a maliciously crafted HTML page that triggers specific UI gestures. Given the low severity and exploitation probability, the immediate risk is moderate but should still be mitigated promptly.

Generated by OpenCVE AI on June 19, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.155 or later to apply the vendor‑supplied fix.
  • If a patch cannot be applied immediately, enforce a policy or use an extension that blocks JavaScript execution on unknown or untrusted web pages to reduce the likelihood of UI‑gesture based leakage.
  • Educate users to avoid clicking or otherwise interacting with suspicious or unexpected UI elements that may be part of malicious web content.

Generated by OpenCVE AI on June 19, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Password Disclosure via UI Gestures in Google Chrome chromium-browser: chromium-browser: Incorrect security UI in Passwords
Weaknesses CWE-940
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Password Disclosure via UI Gestures in Google Chrome

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:50:15.347Z

Reserved: 2026-06-16T19:38:30.749Z

Link: CVE-2026-12458

cve-icon Vulnrichment

Updated: 2026-06-17T10:50:10.514Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T01:38:21Z

Links: CVE-2026-12458 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:15:04Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information

  • CWE-940

    Improper Verification of Source of a Communication Channel