Description
Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in the DevTools window of Google Chrome on Windows lets a remote attacker, who convinces a user to perform specific UI gestures, read potentially sensitive data from the browser's process memory through a crafted HTML page. The flaw is tied to Input Validation weaknesses (CWE‑20). The attack requires user interaction with a malicious page that triggers devtools actions, so it is not a purely blind remote exploit but still permits disclosure of in‑memory information that could include credentials or other sensitive data.

Affected Systems

Google Chrome for Windows versions earlier than 150.0.7871.47 are affected. The vulnerability was present in all stable channel builds up to that version and has been fixed in subsequent releases.

Risk and Exploitability

Chromium rates the issue as Medium severity. CVSS scoring is not provided, and the EPSS score is unavailable, but the exploitability depends on a user’s willingness to engage with a malicious page. Because it requires user interaction and untrusted input in DevTools, the risk is moderate, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need to lure a user to a crafted page and induce the specific UI gestures required to expose process memory contents.

Generated by OpenCVE AI on July 1, 2026 at 02:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later to apply the official fix
  • Disable or restrict Chrome DevTools access for unprivileged users by enabling relevant Group Policy settings or Chrome flags to prevent unauthorized DevTools interactions
  • Educate users to avoid engaging with suspicious UI gestures or malicious pages that could exploit DevTools

Generated by OpenCVE AI on July 1, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title DevTools input validation flaw allows memory disclosure

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:23:36.938Z

Reserved: 2026-06-29T23:04:02.470Z

Link: CVE-2026-13961

cve-icon Vulnrichment

Updated: 2026-07-01T01:23:33.497Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation