Description
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-15
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the password management logic of Google Chrome, where the enforcement of password policies is incorrectly applied. A remote attacker who has successfully compromised the renderer process can create a crafted HTML page that triggers the release of data originating from another origin. This results in the exposure of information that the victim’s browser holds but does not grant the attacker privilege escalation or denial of service. The weakness is an information‑exposure flaw.

Affected Systems

All builds of Google Chrome up to and including 147.0.7727.100 are affected. Any installation that has not been updated to 147.0.7727.101 or later remains vulnerable, regardless of operating system.

Risk and Exploitability

The CVSS base score of 3.1 and an EPSS of less than 1% indicate a low likelihood of exploitation in the wild. The exploit path requires the attacker to first compromise the renderer process, usually via a separate foothold such as a malicious extension or another vulnerability. The vulnerability is not listed in the CISA KEV catalog. Consequently, the risk to an unpatched user is low; however, the potential impact of cross‑origin data disclosure could be significant if malicious data is retrieved.

Generated by OpenCVE AI on May 10, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Chrome update 147.0.7727.101 or later, which corrects the flawed policy enforcement.
  • If a quick update is not feasible, disable automatic password saving by editing the Password Manager setting in chrome://settings/passwords to reduce the amount of potentially leaked data.
  • Launch Chrome with extensions disabled (using the --disable-extensions flag) to reduce the likelihood that a renderer process can be compromised from a malicious extension.

Generated by OpenCVE AI on May 10, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6214-1 chromium security update
History

Sun, 10 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 17 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Password Policy Enforcement Bypass in Google Chrome Google Chrome: Chromium: Google Chrome: Information disclosure via insufficient policy enforcement in Passwords
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Password Policy Enforcement Bypass in Google Chrome
Weaknesses CWE-200

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-10T13:21:15.058Z

Reserved: 2026-04-14T18:12:25.503Z

Link: CVE-2026-6312

cve-icon Vulnrichment

Updated: 2026-04-15T19:59:10.795Z

cve-icon NVD

Status : Modified

Published: 2026-04-15T20:16:40.940

Modified: 2026-05-10T14:16:51.183

Link: CVE-2026-6312

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-15T19:04:54Z

Links: CVE-2026-6312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T17:00:12Z

Weaknesses