Description
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the Payments component of Google Chrome on Android allows a crafted HTML page to read process memory and leak potentially sensitive information, including payment data. This vulnerability compromises confidentiality by enabling an attacker to extract data that should be protected and could lead to financial loss or identity theft.

Affected Systems

Google Chrome for Android versions prior to 150.0.7871.47 are affected. All users running these versions should consider an upgrade as the issue is tied to the Payments functionality within Chrome.

Risk and Exploitability

The vulnerability is categorized as medium severity by Chromium security. The attack vector is inferred to be a remote attacker loading a malicious HTML page while the browser is open; no exploit code or public exploit has been disclosed and it is not listed in the CISA KEV catalog. With no EPSS score available, the likelihood can be considered moderate and the risk primarily stems from the potential for information disclosure if an adversary can serve a crafted page to a victim device.

Generated by OpenCVE AI on July 1, 2026 at 01:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later on all Android devices.
  • Disable the Payments feature for all sites via chrome://flags or site settings until the browser is updated.
  • Use device management to enforce app updates and monitor for suspicious memory access patterns.

Generated by OpenCVE AI on July 1, 2026 at 01:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome Android Payments Leads to Process Memory Disclosure
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:17:10.728Z

Reserved: 2026-06-29T23:03:59.485Z

Link: CVE-2026-13949

cve-icon Vulnrichment

Updated: 2026-07-01T01:09:05.788Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control