Description
Race in DataTransfer in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists within Chrome's DataTransfer API that permits a remote attacker to read sensitive data from process memory by loading a specially crafted HTML page. The flaw arises when the DataTransfer object is manipulated before the underlying data transfer lifecycle is finalized, allowing the attacker to obtain data that should remain confidential. The vulnerability is categorized as a Medium severity issue by Chromium, indicating that the leakage could potentially expose user credentials, cookies, or other private data.

Affected Systems

Google Chrome versions earlier than 150.0.7871.47 are affected. The issue impacts all platforms where Chrome is installed and used to view HTML content, as the vulnerability is triggered purely in the browser rendering engine. Users who continue to run older Chrome releases remain vulnerable until they upgrade to a newer build that contains the race condition fix.

Risk and Exploitability

The likely attack vector is remote, via a malicious web page that the user visits. In order to exploit the flaw the attacker must first trick the victim into accessing a crafted page, after which the race in DataTransfer can expose memory contents. The exploit does not require elevated local privileges and can be performed against any user who loads the malicious page. While the EPSS is not available and the vulnerability is not listed in CISA's KEV catalog, its Medium severity rating suggests a moderate risk if the vulnerability is actively targeted. A successful exploitation would result in the disclosure of potentially sensitive data, compromising confidentiality of the affected user.

Generated by OpenCVE AI on July 1, 2026 at 01:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later to receive the race condition fix.
  • Ensure that machines cannot automatically load or execute untrusted HTML content from the internet by disabling or restricting the DataTransfer API usage for unknown origins.
  • Apply general web‑browser hardening practices, such as enforcing strict content security policies and disabling clipboard access on untrusted sites.

Generated by OpenCVE AI on July 1, 2026 at 01:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Title Race Condition in DataTransfer Allows Memory Disclosure via Crafted HTML Page
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Race in DataTransfer in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:29:25.532Z

Reserved: 2026-06-29T23:03:39.329Z

Link: CVE-2026-13874

cve-icon Vulnrichment

Updated: 2026-07-01T01:29:20.741Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:15:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')