Description
Insufficient policy enforcement in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Chrome’s GetUserMedia allowed a remote attacker to bypass the same-origin policy through a crafted HTML page, potentially enabling cross-origin data exfiltration. The vulnerability exists because media device access permissions are not correctly enforced, leading to unintended access across origin boundaries. This flaw can be used by an attacker hosting a malicious page to gain access to media streams or hidden information that should have been restricted to the original origin.

Affected Systems

All users of Google Chrome versions earlier than 150.0.7871.47 are affected, regardless of operating system, until the update is applied.

Risk and Exploitability

The vulnerability is rated low in Chromium’s internal severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to host a specially crafted web page that the victim visits. Because the flaw exploits policy enforcement rather than a direct code execution path, exploitation is relatively modest, but it still lifts the same-origin restriction and can allow data leakage or interactions with media devices that the victim would normally be prevented from accessing.

Generated by OpenCVE AI on July 1, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later
  • If an immediate upgrade is not possible, configure the Chrome policy "MediaStreamDevicesAllowed" or custom policy in enterprise environments to block GetUserMedia on all sites
  • Educate users to avoid visiting untrusted web pages and to be vigilant when the browser prompts for camera or microphone access

Generated by OpenCVE AI on July 1, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via GetUserMedia Media Access in Chrome
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:05.209Z

Reserved: 2026-06-29T23:11:29.753Z

Link: CVE-2026-14039

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:15:04Z

Weaknesses