Description
Insufficient policy enforcement in ChromeDriver in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Same Origin Policy Bypass
Action: Immediate Patch
AI Analysis

Impact

A flaw in ChromeDriver’s policy enforcement lets a remote attacker supply a specially crafted HTML page that bypasses the same‑origin policy. This omission can allow the attacker to read or manipulate content from other origins, potentially enabling data theft or execution of malicious code in the context of a victim’s browser, which is a significant integrity breach. The weakness is an access‑control failure (CWE‑284). The description indicates that the vulnerability is classified as medium severity by Chromium’s own assessment.

Affected Systems

The vulnerability affects Google Chrome browsers that include ChromeDriver before the 146.0.7680.71 release. This includes installations on Windows, macOS, and Linux platforms where the legacy ChromeDriver component is active. Users of newer patched releases are not impacted.

Risk and Exploitability

The CVSS score of 6.5 denotes medium severity; however, the EPSS score is less than 1%, indicating a low probability of actual exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by delivering a crafted web page to a user running ChromeDriver, which suggests the attack vector is likely social‑engineering or local‑machine exploitation rather than a purely remote attack. Overall, the risk remains moderate but actionable before widespread exploitation occurs.

Generated by OpenCVE AI on April 16, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.71 or later, which contains the fix for ChromeDriver policy enforcement.
  • Disable or restrict remote access to ChromeDriver by enforcing appropriate policies such as disabling remote automation features or limiting its usage to trusted environments.
  • Apply site‑content security policies that enforce strict same‑origin rules and validate any cross‑origin requests to mitigate potential exploitation until a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Mon, 16 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 15 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in ChromeDriver
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in ChromeDriver in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T03:04:48.659Z

Reserved: 2026-03-11T05:54:13.882Z

Link: CVE-2026-3934

cve-icon Vulnrichment

Updated: 2026-03-14T03:04:42.525Z

cve-icon NVD

Status : Modified

Published: 2026-03-11T22:16:36.047

Modified: 2026-03-16T14:19:53.933

Link: CVE-2026-3934

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3934 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses