Description
Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in Chrome’s WebShare feature permits a remote attacker who has already compromised the renderer process to craft an HTML page that can spoof user interface elements. The weakness allows the attacker to manipulate the appearance of the browser UI, potentially deceiving users into interacting with malicious content under the guise of legitimate UI actions. The vulnerability is flagged as a medium severity issue based on Chromium’s internal grading.

Affected Systems

The flaw affects Google Chrome for Android, specifically versions prior to 150.0.7871.47. The exact list of impacted builds is not explicitly enumerated, but any Chrome installation below the referenced build number is vulnerable. No specific vendor product sub‑versions are listed beyond the general Chrome product designation.

Risk and Exploitability

Exploitation requires the attacker to already have control over the renderer process, which narrows the available attack surface compared to a fully remote vulnerability. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Given the medium severity rating and the prerequisite of renderer compromise, the likely risk is moderate, with low to medium likelihood of widespread exploitation in the near term.

Generated by OpenCVE AI on July 1, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or later or the latest stable release
  • Ensure that the browser is configured to block or disable WebShare for sites that do not require it
  • Use security extensions or enterprise policies to restrict renderer privilege escalation

Generated by OpenCVE AI on July 1, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:15:00 +0000

Type Values Removed Values Added
Title Chrome Android UI Spoofing via Untrusted WebShare Input

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:28.760Z

Reserved: 2026-06-29T23:03:57.058Z

Link: CVE-2026-13939

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:00:12Z

Weaknesses
  • CWE-20

    Improper Input Validation