Description
Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome for iOS contains an information‑leakage flaw where WebAuthentication may reveal data from other origins through a side‑channel. By loading a specially crafted HTML page, a remote attacker can trigger the leak and obtain sensitive information that would normally be protected by same‑origin policies. The weakness, categorized as CWE‑1300, involves improper handling of authentication material across origins, allowing the attacker to read data the malicious page can access, although it does not grant system control. The severity is assessed as low according to Chromium’s official rating.

Affected Systems

The issue affects Google Chrome on iOS devices running versions prior to 150.0.7871.47. All installations of Chrome below that version running on iOS are vulnerable.

Risk and Exploitability

Exploitability is remote, relying on the victim visiting a malicious web page that triggers the WebAuthentication side‑channel. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which indicates a low risk of widespread exploitation at this time. However, because the attack vector is simple—load a crafted page—any user who visits malicious content on an affected Chrome browser could have their origin data exposed.

Generated by OpenCVE AI on July 1, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on all iOS devices to version 150.0.7871.47 or later.
  • If feasible, disable WebAuthentication in the Chrome settings or remove the feature from the browser’s configuration to prevent the side‑channel from being usable.
  • Keep Chrome and iOS system software up to date and monitor future release notes for additional security fixes.

Generated by OpenCVE AI on July 1, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Side‑Channel in Chrome iOS WebAuthentication

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-1300
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:17.709Z

Reserved: 2026-06-29T23:11:36.889Z

Link: CVE-2026-14074

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses
  • CWE-1300

    Improper Protection of Physical Side Channels