Description
Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a side‑channel leak in Chrome’s WebAudio component, allowing a malicious web page to read data from other origins. By crafting audio processing operations, the attacker can retrieve confidential information even though same‑origin restrictions normally block such access. The weakness aligns with CWE‑1300 and CWE‑203.

Affected Systems

Affected software is Google Chrome for desktop, with the issue present in all builds older than version 150.0.7871.47. No other vendors or product families are listed; the scope is limited to browsers built from the Chromium source tree.

Risk and Exploitability

Chromium classifies the issue as low severity, but the CVSS score is 6.5, indicating medium‑level risk. The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog. To exploit the flaw an attacker must convince a user to load a crafted page in a vulnerable Chrome browser; the attack does not grant code execution or denial of service, but can expose private data across origin boundaries.

Generated by OpenCVE AI on July 1, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Google Chrome 150.0.7871.47 or newer.
  • If a patch cannot be applied immediately, configure the enterprise policy to disable the WebAudio API by setting "WebAudioEnabled" to false.
  • As an additional short‑term measure, enforce a content‑security‑policy that blocks creation of audio nodes from third‑party origins, thereby limiting the attack surface.

Generated by OpenCVE AI on July 1, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Title WebAudio Side‑Channel Leakage in Chrome

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via WebAudio Side‑Channel in Chrome

Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via WebAudio Side‑Channel in Chrome

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-1300
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T12:54:48.810Z

Reserved: 2026-06-29T23:11:36.297Z

Link: CVE-2026-14071

cve-icon Vulnrichment

Updated: 2026-07-01T12:54:40.495Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T20:15:05Z

Weaknesses
  • CWE-1300

    Improper Protection of Physical Side Channels

  • CWE-203

    Observable Discrepancy