Description
Insufficient validation of untrusted input in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local attacker can exploit insufficient validation of untrusted input in the user interface of Google Chrome on Android to elevate privileges by crafting a malicious file. The vulnerability is a classic input validation flaw that allows the attacker to trigger the UI with crafted data, resulting in the application running with higher privileges than intended. This could enable the attacker to modify application data, install unauthorized code, or access sensitive information within the device.

Affected Systems

Google Chrome for Android versions earlier than 150.0.7871.47 are affected. Users running any of these versions on Android devices are at risk. The issue is specific to the Chrome UI handling of files.

Risk and Exploitability

The vulnerability carries a medium security severity in Chromium’s classification and could be exploited by a local attacker who already has a foothold on the device. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to create a malicious file on the device and then interact with the Chrome UI to trigger the flaw, so the attack vector is local and the attacker must have a degree of local access to the device.

Generated by OpenCVE AI on July 1, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or newer to apply the vendor fix.
  • Disable or restrict sharing of external files with Chrome on the device to reduce the risk of a crafted malicious file being used.
  • Ensure the device’s operating system and security settings are current, and consider restricting local user privileges or adopting a sandboxed user profile when handling sensitive data.

Generated by OpenCVE AI on July 1, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Chrome on Android Privilege Escalation via Malicious File

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:24.354Z

Reserved: 2026-06-29T23:03:54.111Z

Link: CVE-2026-13927

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation