Description
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Google Chrome earlier than 150.0.7871.47 lets a remote attacker who has already compromised the renderer process read potentially sensitive data from the process memory via a specially crafted HTML page. The vulnerability allows an attacker to expose confidential information and is classified as a medium severity issue by Chromium. The flaw is rooted in inadequate enforcement of policy boundaries in the renderer, an (CWE-200).

Affected Systems

The affected product is Google Chrome. Versions prior to 150.0.7871.47 are vulnerable; the update released in June 2026 contains the fix, so any Chrome installation older than that patch is impacted.

Risk and Exploitability

The CVSS score is not disclosed, but Chromium labels the issue as Medium. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a moderate likelihood of exploitation in the wild. The attack requires the attacker to already have compromised the renderer process, so it is not a general remote code execution vector; rather it is an information‑disclosure risk that depends on preliminary compromise. No known active exploits or zero‑day usage have been reported as of the latest advisory.

Generated by OpenCVE AI on July 1, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later to apply the vendor patch that improves renderer policy enforcement and prevents memory disclosure.
  • Apply browser security hardening measures such as enabling the "Process isolation" and "Hardware accelerated video" flags to limit the impact of any compromised renderer.
  • Regularly monitor the system for signs of renderer compromise or abnormal memory access patterns, and use endpoint protection to detect suspicious activity.

Generated by OpenCVE AI on July 1, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Remote attacker can read renderer memory via crafted HTML due to insufficient policy enforcement in Chrome
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:17:25.117Z

Reserved: 2026-06-29T23:03:55.637Z

Link: CVE-2026-13933

cve-icon Vulnrichment

Updated: 2026-07-01T01:08:14.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control