Description
Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the way Chrome on Windows handles certain user intentional interactions with download-related UI elements after visiting a crafted HTML page. A remote attacker can persuade a user to perform specific gestures that trigger code execution without the user’s conscious approval. The result is arbitrary code running with the privileges of the Chrome process, potentially allowing a full compromise of the host system.

Affected Systems

Google Chrome versions on Windows released prior to 150.0.7871.47 are affected. The issue is reported for the stable channel and is fixed in the 150.0.7871.47 update.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but it carries Medium severity according to Chromium’s own assessment. The attack requires user interaction with a malicious page and relies on exploiting the download handling subsystem to execute code. No validated exploit has been publicly disclosed, but the nature of the flaw—arbitrary code execution—implies high impact if exploited.

Generated by OpenCVE AI on July 1, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later. This is the vendor‑issued fix that removes the flaw in download handling.
  • Ensure Chrome’s auto‑update feature is enabled so the browser receives future patches promptly. This reduces the window of vulnerability for any unpatched versions.
  • Avoid interacting with suspicious download prompts and exercise safe browsing practices to mitigate the risk of user‑facilitated exploitation.

Generated by OpenCVE AI on July 1, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Unsafe Download Handling Enables Arbitrary Code Execution via User Interaction
Weaknesses CWE-79
CWE-94

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:23.627Z

Reserved: 2026-06-29T23:03:53.615Z

Link: CVE-2026-13925

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')