Description
Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-06-30
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an inappropriate implementation in the Views component of Google Chrome on ChromeOS that permits a maliciously crafted extension to read sensitive data from the browser’s process memory. When a user installs such an extension, the attacker can extract potentially confidential information, including credentials or personal data, that resides in memory. This results in an information exposure flaw identified by the vendor as low severity. The access is limited to the memory space of the user’s browser process and does not provide direct code execution.

Affected Systems

ChromeOS users with Google Chrome versions earlier than 150.0.7871.47 are affected. The issue concerns the Chrome browser running on ChromeOS only; no other operating systems are listed.

Risk and Exploitability

The exploit requires a user to willingly install a malicious extension, which makes exploitation dependent on social engineering. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation. Nonetheless, because the flaw allows memory disclosure, it remains a serious privacy risk for users who install unverified extensions. The CVSS score is 5.9, indicating a moderate severity, and confirms that direct exploitation is more constrained than higher‑risk vulnerabilities.

Generated by OpenCVE AI on July 1, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later
  • Configure Chrome or enterprise policy to block installation of untrusted extensions
  • Educate users to verify extension permissions before installation

Generated by OpenCVE AI on July 1, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Title Memory Information Leak via Malicious Chrome Extension on ChromeOS

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Memory Information Leak via Malicious Chrome Extension on ChromeOS
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:36:31.402Z

Reserved: 2026-06-29T23:11:34.488Z

Link: CVE-2026-14062

cve-icon Vulnrichment

Updated: 2026-07-01T01:12:35.324Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T07:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor