Description
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the CustomTabs component of Google Chrome on Android allowed a remote attacker to bypass the same‑origin policy by loading a specially crafted HTML page. The vulnerability is limited to the CustomTabs feature and is classified as low severity by Chromium. If exploited, an attacker could access or modify resources that should be protected by web isolation policies, potentially leaking sensitive data or influencing page behavior.

Affected Systems

Google Chrome on Android versions prior to 150.0.7871.47. The issue is contained to the CustomTabs context and does not affect other browser components.

Risk and Exploitability

The vulnerability can be triggered remotely by delivering the crafted page to a device running the affected Chrome version. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating low exploitation likelihood. The lack of a high CVSS score and absence of known public exploitation further suggest that the risk level is modest, but the same‑origin policy breach could materialize serious privacy or integrity impacts if an attacker crafts malicious content.

Generated by OpenCVE AI on July 1, 2026 at 04:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later to apply the fix for the CustomTabs implementation.
  • Disable CustomTabs functionality by uninstalling or disabling apps that register for CustomTabs, or configure Chrome policy to reject CustomTabs requests.
  • Monitor for CustomTabs activity and restrict third‑party apps that launch CustomTabs until a patch is available.

Generated by OpenCVE AI on July 1, 2026 at 04:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Same-Origin Policy Bypass via CustomTabs in Chrome
Weaknesses CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:07.699Z

Reserved: 2026-06-29T23:11:31.144Z

Link: CVE-2026-14046

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')