Description
Inappropriate implementation in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper separation of input contexts in Chrome’s Android renderer, allowing data from a different origin to be accessed once the renderer is compromised. This flaw does not grant code execution or privilege escalation but exposes sensitive information from unrelated web pages, thereby violating confidentiality. The exploit relies on a pre‑existing compromise of the renderer process; without that foothold, the attacker cannot reach the vulnerability.

Affected Systems

Google Chrome for Android prior to version 150.0.7871.47 is affected. Users running these builds are susceptible to cross‑origin data leakage if a malicious renderer process can be introduced.

Risk and Exploitability

Chromium labels the issue as low severity and does not publish a CVSS score. EPSS is not available, and the vulnerability is not in CISA’s KEV list. The need for a compromised renderer constrains the attack surface; no public exploit is known. Updating to the patched release removes the flaw, mitigating risk.

Generated by OpenCVE AI on July 1, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on Android to version 150.0.7871.47 or later.
  • If an immediate update is not possible, restrict renderer process privileges and enforce stricter same‑origin checks via Chrome’s security flags.
  • Monitor browser telemetry for anomalous cross‑origin data access and apply data‑loss‑prevention controls to limit potential exposure.

Generated by OpenCVE AI on July 1, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Title Chrome Android Cross‑Origin Data Leakage via Renderer Compromise
Weaknesses CWE-200

Wed, 01 Jul 2026 11:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Crafted HTML Page in Chrome on Android
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 04:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Crafted HTML Page in Chrome on Android
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T16:01:58.063Z

Reserved: 2026-06-29T23:11:41.327Z

Link: CVE-2026-14096

cve-icon Vulnrichment

Updated: 2026-07-01T16:01:37.099Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:30:18Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor