Impact
A flaw in Chrome’s DeviceBoundSessionCredentials handling in versions prior to 149.0.7827.197 permits a remote attacker to craft an HTML page that bypasses the browser’s same‑origin policy. The weakness lies in insufficient origin isolation and is marked as CWE‑346. This can enable the attacker to read or modify data that should be confined to a single origin, including sensitive information such as cookies and local storage, thereby compromising user confidentiality and integrity.
Affected Systems
Users operating Google Chrome before the 149.0.7827.197 release are affected. The issue appears in the stable channel and was addressed in the update published in June 2026.
Risk and Exploitability
Chromium rates the vulnerability as High, but the CVSS score is 4.3, denoting moderate risk. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been exploited in the wild. The likely attack vector is a remote attacker hosting a malicious webpage; a victim visiting that page triggers the exploit without any local code execution or elevated privileges.
OpenCVE Enrichment
Debian DLA
Debian DSA