Description
Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin Data Leakage via Clipboard
Action: Patch
AI Analysis

Impact

Insufficient enforcement of clipboard policy in Chrome before 146.0.7680.71 lets a compromised renderer process access and leak data that originates from a different origin when a specially crafted HTML page is loaded. The result is a breach of confidentiality, allowing the attacker to exfiltrate sensitive information that was previously protected by cross‑origin boundaries. The weakness manifests as a failure to adequately authorise clipboard access and is identified as CWE‑284.

Affected Systems

The flaw affects Google Chrome on all platforms (Windows, macOS, Linux) prior to version 146.0.7680.71. No other vendors or versions are listed as vulnerable in the CNA data.

Risk and Exploitability

The CVSS v3.1 score of 6.5 indicates moderate severity, while the EPSS rating of less than one percent suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a pre‑existing compromise of the renderer process, likely achieved through a separate flaw or social‑engineering attack, after which the attacker can craft a page that reads clipboard data and exfiltrates it. Given the requirement for a local compromise and the low EPSS probability, the overall risk is moderate but not imminent.

Generated by OpenCVE AI on April 16, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 146.0.7680.71 or later.
  • Enable automatic updates for Chrome to ensure the latest security fixes are applied without delay.
  • If available, apply an enterprise policy to restrict clipboard access across origins, or use a browser extension that blocks cross‑origin clipboard reads until the bug is fixed.

Generated by OpenCVE AI on April 16, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in Clipboard
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T03:15:40.715Z

Reserved: 2026-03-11T05:54:14.906Z

Link: CVE-2026-3938

cve-icon Vulnrichment

Updated: 2026-03-14T03:10:40.544Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:36.477

Modified: 2026-03-16T18:10:25.447

Link: CVE-2026-3938

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3938 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses