Description
Insufficient policy enforcement in Spellcheck in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in the spellcheck component of Google Chrome allows an attacker who has already compromised the renderer process to read data from process memory. The vulnerability does not allow the attacker to execute arbitrary code; rather, it enables the retrieval of potentially sensitive information such as user data, browser state, or other memory contents. Because the attacker needs a foothold in the renderer, the impact is limited to situations where local or remote code execution in that process has already occurred, but the information leak can still pose significant privacy risks.

Affected Systems

All releases of Google Chrome prior to version 150.0.7871.47 are affected. The issue exists only in the Chromium-based stable channel before this patch release. No other vendors or products are implicitly impacted by this specific flaw.

Risk and Exploitability

The CVSS score is not provided, but the description indicates medium severity. The attacker must first compromise the renderer, a task that might be achieved through exploitation of other bugs or social engineering. Once inside the renderer, the memory read can be performed via a crafted HTML page. No EPSS score is available, and the vulnerability is not listed in CISA KEV. Given the requirement of prior renderer compromise, the risk is moderate, but the potential for privacy loss makes timely patching advisable.

Generated by OpenCVE AI on July 1, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later.
  • Enable Site Isolation to ensure renderer processes run in separate processes, limiting the scope of any compromise.
  • If immediate update is not possible, disable spellcheck for untrusted content or use a browser extension that restricts renderer memory access.

Generated by OpenCVE AI on July 1, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome Spellcheck Allows Memory Information Leak
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Spellcheck in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:17:55.256Z

Reserved: 2026-06-29T23:03:50.175Z

Link: CVE-2026-13911

cve-icon Vulnrichment

Updated: 2026-07-01T01:06:50.268Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor