Description
Inappropriate implementation in NFC in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the NFC implementation within Google Chrome on Android. A malicious payload delivered via a crafted HTML page can be executed by an attacker who has already compromised the renderer process. By exploiting this flaw, the attacker can read and transmit data that originates from a different web origin, thereby leaking confidential information across site boundaries. The weakness corresponds to improper information disclosure (CWE‑200).

Affected Systems

Google Chrome on Android versions prior to 150.0.7871.47 are impacted. The issue affects all mobile devices running the affected stable channel, including older Android devices that have not updated Chrome to the mentioned version.

Risk and Exploitability

Chromium rates this issue as Medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The exploit requires that the attacker already gain control of the renderer process, which typically implies a prior local compromise or exploitation of another vector. Because the damage is limited to cross‑origin data leakage and the path to compromise the renderer is nontrivial, the overall risk is moderate, but the potential damage to user privacy could be significant.

Generated by OpenCVE AI on July 1, 2026 at 12:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later, which patches the NFC handling bug.
  • If immediate upgrade is not possible, disable NFC functionality in Chrome via device settings or by blocking NFC feature flags to prevent malicious NFC‑driven exploits.
  • Monitor Chrome update channels and apply security patches as soon as they are released; ensure normal component isolation is enforced to keep the renderer process isolated from privileged code.

Generated by OpenCVE AI on July 1, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via NFC Handler in Google Chrome for Android
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Title Renderer Process Compromise Allows Cross‑Origin Data Leakage in Chrome Android
Weaknesses CWE-200

Wed, 01 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Renderer Process Compromise Allows Cross‑Origin Data Leakage in Chrome Android
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in NFC in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:09.699Z

Reserved: 2026-06-29T23:03:42.521Z

Link: CVE-2026-13887

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T12:30:17Z

Weaknesses

No weakness.