Impact
Insufficient policy enforcement in Google Chrome earlier than 150.0.7871.47 lets a remote attacker who has already compromised the renderer process read potentially sensitive data from the process memory via a specially crafted HTML page. The vulnerability allows an attacker to expose confidential information and is classified as a medium severity issue by Chromium. The flaw is rooted in inadequate enforcement of policy boundaries in the renderer, an (CWE-200).
Affected Systems
The affected product is Google Chrome. Versions prior to 150.0.7871.47 are vulnerable; the update released in June 2026 contains the fix, so any Chrome installation older than that patch is impacted.
Risk and Exploitability
The CVSS score is not disclosed, but Chromium labels the issue as Medium. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a moderate likelihood of exploitation in the wild. The attack requires the attacker to already have compromised the renderer process, so it is not a general remote code execution vector; rather it is an information‑disclosure risk that depends on preliminary compromise. No known active exploits or zero‑day usage have been reported as of the latest advisory.
OpenCVE Enrichment