Impact
An Android WebView component in Google Chrome suffered from insufficient validation of untrusted input, allowing an attacker to craft a malicious HTML page that could bypass the same origin policy. This flaw lets a compromised renderer process read data from or interact with websites that belong to a different domain, undermining data confidentiality and potentially enabling further malicious actions.
Affected Systems
All Android devices running Google Chrome versions older than 150.0.7871.47 are affected. The vulnerability was fixed in the stable channel update released in June 2026, which includes version 150.0.7871.47 and later. Users of any earlier releases must ensure they migrate to the patched build.
Risk and Exploitability
The vulnerability is catalogued as medium severity by Chromium. Exploitation requires a compromise of the renderer process, which is non‑trivial, and no current exploit code has been confirmed in the wild. EPSS data is not available and the flaw is not listed in the CISA KEV catalog, indicating a lower but still present risk. However, operator awareness and rapid patching remain important to prevent potential exploitation.
OpenCVE Enrichment