Description
Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient XML policy enforcement in Google Chrome for Android allows a remote attacker to trigger a memory disclosure via a specially crafted HTML page. The flaw permits reading potentially sensitive information from the browser process’s memory. The vulnerability does not provide a path to execute arbitrary code or modify system state, so the primary impact is information disclosure.

Affected Systems

Google Chrome on Android versions earlier than 150.0.7871.47 are affected.

Risk and Exploitability

Because the flaw is triggered by a crafted HTML page, an Android user who visits a malicious site can exploit the vulnerability without authentication. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The reported medium severity rating indicates a moderate risk; an attacker could obtain private data but would not achieve code execution. No public exploits have been reported at this time.

Generated by OpenCVE AI on July 1, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later
  • If an update cannot be applied, avoid visiting untrusted web pages or use a different browser
  • Ensure the device’s OS is kept current with the latest security patches

Generated by OpenCVE AI on July 1, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Insufficient XML Policy Enforcement Leads to Memory Disclosure in Chrome Android
Weaknesses CWE-200

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:16:55.832Z

Reserved: 2026-06-29T23:04:00.728Z

Link: CVE-2026-13954

cve-icon Vulnrichment

Updated: 2026-07-01T01:09:47.973Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control