Description
Inappropriate implementation in Passwords in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome for Android contains an inappropriate implementation in its passwords feature that allows a remote attacker to read potentially sensitive information from process memory. A crafted HTML page can trigger this flaw, enabling the protected. The weakness directly leads to exposure of confidential information; no denial of service or code execution is described.

Affected Systems

Chrome running on Android devices prior to version 150.0.7871.47 is affected. This includes all builds of the stable channel before that release.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring the victim to open a malicious HTML page; thus it is not a network‑level exploit but still poses a significant privacy risk. The Chromium security severity is Medium, indicating a moderate but real threat level.

Generated by OpenCVE AI on July 1, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later on all Android devices.
  • Ensure automatic updates are enabled so future critical patches are applied promptly.
  • If updating immediately is not possible, avoid navigating to untrusted sites that may host malicious crafted pages until the update can be installed.

Generated by OpenCVE AI on July 1, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Remote Memory Disclosure via Crafted HTML Page in Chrome Passwords
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:30:51.798Z

Reserved: 2026-06-29T23:03:56.350Z

Link: CVE-2026-13936

cve-icon Vulnrichment

Updated: 2026-07-01T01:30:40.015Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control