Description
Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient data validation flaw in the PDF handling code of Google Chrome allows a remote attacker who has already compromised the renderer process to bypass navigation restrictions via a crafted HTML page. The underlying weakness is improper input validation (CWE-20). This flaw lets the attacker force the browser to navigate to arbitrary URLs even when navigation is meant to be blocked, potentially enabling phishing or other malicious resource loading.

Affected Systems

Google Chrome desktop versions prior to 150.0.7871.47 are affected. The vulnerability exists in all older releases until the update that includes the fix. No specific patch is currently published beyond the announced version.

Risk and Exploitability

The Chromium project rates the issue as Medium severity and no EPSS score or KEV listing is available. Exploitation requires a local compromise of the renderer process, which is a prerequisite. Once that occurs, the attacker can craft an HTML document that triggers navigation to a target URL, bypassing standard restrictions. Because the flaw is not a remote code execution and relies on prior compromise, the overall risk is limited but still significant for scenarios where compromised renderer processes can be achieved, such as via other vulnerabilities or social engineering. No publicly known exploits are listed in CISA KEV.

Generated by OpenCVE AI on July 1, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later.
  • Limit the privileges of the renderer process through sandboxing or browser policy to reduce the impact of a compromise.
  • Configure browsers to enforce stricter navigation policies or use whitelisting to block unintended redirects.
  • Monitor browser traffic for anomalous navigation patterns that could indicate exploitation.

Generated by OpenCVE AI on July 1, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient PDF Validation Allows Renderer Process to Bypass Navigation Restrictions
Weaknesses CWE-20

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:37.300Z

Reserved: 2026-06-29T23:04:02.715Z

Link: CVE-2026-13962

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation