Description
Inappropriate implementation in Passwords in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Chrome for macOS versions prior to 150.0.7871.47, an incorrect handling of password data in the browser's password manager allows a local attacker who can create or influence a malicious file to read sensitive information from Chrome’s process memory. This memory disclosure can expose stored credentials or other confidential data, representing a clear information‑exposure vulnerability.

Affected Systems

The affected product is Google Chrome running on macOS. Any install of Chrome with a build number earlier than 150.0.7871.47 is vulnerable. No specific minor or patch releases are listed in the CNA data.

Risk and Exploitability

Because the flaw requires a local attacker to supply a malicious file, broader network exploitation is not possible. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalogue. Chromium rates the severity of the bug as Medium, indicating a moderate risk that could still lead to credential theft if an attacker gains local access. The condition remains that the user interacts with a compromised file or application that can trigger the memory read path.

Generated by OpenCVE AI on July 1, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to the latest stable release (at least 150.0.7871.47 or later).
  • Ensure macOS is up‑to‑date and that System Integrity Protection is enabled.
  • Avoid opening or executing suspicious files and disable unnecessary file handlers to reduce local attack surface.

Generated by OpenCVE AI on July 1, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Local Process Memory Disclosure via Malicious File in Chrome Passwords
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:17:39.865Z

Reserved: 2026-06-29T23:03:50.884Z

Link: CVE-2026-13914

cve-icon Vulnrichment

Updated: 2026-07-01T01:07:24.112Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:45:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control