Impact
The flaw is in the WebXR module of Google Chrome for Android versions earlier than 150.0.7871.47. An attacker can craft a malicious HTML page that causes the browser to ignore its normal navigation restrictions, allowing an unsolicited redirect to a site of the attacker’s choice. The vulnerability does not grant code execution or privilege escalation but facilitates phishing or other social‑engineering attacks by taking control over the user’s navigation flow.
Affected Systems
All Android users who have Chrome installed at a version older than 150.0.7871.47 are affected. This includes every device that has not yet applied the incremental security update released on 17 June 2026.
Risk and Exploitability
The vulnerability is rated low by Chromium’s internal severity, and it is not listed in the CISA KEV catalog. No EPSS score is available. The attack vector is remote: any web page can trigger the bypass when viewed with the affected browser. Although exploitation is straightforward, the impact is limited to unwanted navigation and possible phishing; an attacker cannot gain local privileges or execute arbitrary code. The risk remains low but the ability to redirect users is valuable for attackers aiming to conceal malicious payloads.
OpenCVE Enrichment