Description
Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Chrome’s SplitView component allowed an attacker who had already compromised a renderer process to bypass navigation restrictions, enabling a crafted HTML page to direct the user to malicious sites or content. Chromium notes it as a medium‑severity issue. The vulnerability would let a malicious renderer redirect or force navigation that normally would be blocked, potentially leading to phishing or other user‑targeted attacks, but does not provide direct code execution or system compromise.

Affected Systems

All users running Google Chrome versions prior to 150.0.7871.47 on any operating system are affected, regardless of platform. The issue exists in the core rendering engine accessed by all installed Chrome instances that run the SplitView UI.

Risk and Exploitability

No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to first compromise a renderer process, which typically means delivering malicious content or exploiting a separate vulnerability. Once renderer compromise is achieved, the attacker can use the SplitView bypass to redirect users or alter navigation, presenting an elevated phishing risk. The CVSS score is not provided, but the medium severity rating indicates significant risk if the renderer is already compromised. Applying the fix mitigates the bypass and removes this potential attack path.

Generated by OpenCVE AI on July 1, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later to eliminate the SplitView flaw.
  • If a patch cannot be deployed immediately, disable the SplitView feature via chrome://flags or enterprise policy to prevent the navigation bypass.
  • Disable or remove browser extensions that could provide renderer access or otherwise compromise the renderer process until a patch is applied.

Generated by OpenCVE AI on July 1, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Chrome SplitView Navigation Restriction Bypass via Compromised Renderer
Weaknesses CWE-269
CWE-601

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:34.018Z

Reserved: 2026-06-29T23:04:00.454Z

Link: CVE-2026-13953

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')