Description
Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient policy enforcement in Chrome’s StorageAccessAPI. An attacker who has already compromised the renderer process can supply a specially crafted HTML page that causes the browser to expose data from another origin. This allows the attacker to read cross‑origin content that should be protected. The weakness corresponds to CWE‑20 and can lead to a data leakage and privacy breach.

Affected Systems

Google Chrome versions older than 150.0.7871.47 are affected. The issue was fixed in the 150.0.7871.47 update, so any installation of Chrome with a version number less than that is susceptible.

Risk and Exploitability

The CVE has a Chromium severity of medium, but no EPSS score is available, meaning the exploit probability has not been quantified. It is not listed in the CISA KEV catalogue. Exploitation requires a compromised renderer process, which is not trivial; the attacker also needs to supply a crafted HTML page. Given these conditions, the risk is moderate but could be high if the renderer is already compromised.

Generated by OpenCVE AI on July 1, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update (150.0.7871.47 or later) to ensure the policy enforcement is applied.
  • If an immediate update is not possible, disable or restrict StorageAccessAPI usage via enterprise policy to prevent the cross‑origin leakage until the patch is applied.
  • Review and isolate any renderer processes that may have been compromised, and perform a security audit for suspicious cross‑origin data access.

Generated by OpenCVE AI on July 1, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin StorageAccessAPI Data Leak Due to Insufficient Policy Enforcement

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:59.080Z

Reserved: 2026-06-29T23:04:20.181Z

Link: CVE-2026-14021

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation