Description
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-15
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin data leakage via unprotected password policies
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an insufficient policy enforcement in the password management component of Google Chrome. A remote attacker who has already compromised the renderer process can craft an HTML page that triggers the leakage of data originating from another domain. The primary consequence is the exposure of sensitive cross‑origin information, potentially including credentials stored in the password manager, without providing an attacker direct code execution or denial of service capability. The weakness can be classified as an information exposure flaw.

Affected Systems

Google Chrome installations up to and including version 147.0.7727.100 are affected. Any Chrome user running a build older than 147.0.7727.101 may be vulnerable unless other mitigations are in place.

Risk and Exploitability

Chromium labels the issue as low severity with a CVSS base score of 3.1. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation to date. The attack requires that an attacker already holds a foothold in the renderer process, which typically demands a separate compromise such as a malicious extension or a buffer overrun elsewhere. Because the exploit path is non‑trivial, the risk is moderate to low for a user with an unpatched browser, but the likelihood of exploitation in the wild remains uncertain.

Generated by OpenCVE AI on April 15, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.101 or newer before the next scheduled release. This patch restores proper policy enforcement and prevents cross‑origin data leakage.
  • If an update cannot be applied immediately, temporarily disable automatic password saving by clearing the Password Manager setting or accessing chrome://settings/passwords and turning off the option to store passwords. This reduces the attack surface while the vulnerability remains unpatched.
  • Run Chrome with extensions disabled (i.e., launch with the command‑line flag --disable-extensions) to limit potential renderer compromise until the patch is installed.

Generated by OpenCVE AI on April 15, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Password Policy Enforcement Bypass in Google Chrome Google Chrome: Chromium: Google Chrome: Information disclosure via insufficient policy enforcement in Passwords
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via Password Policy Enforcement Bypass in Google Chrome
Weaknesses CWE-200

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-15T19:59:44.768Z

Reserved: 2026-04-14T18:12:25.503Z

Link: CVE-2026-6312

cve-icon Vulnrichment

Updated: 2026-04-15T19:59:10.795Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:40.940

Modified: 2026-04-15T20:16:40.940

Link: CVE-2026-6312

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-15T19:04:54Z

Links: CVE-2026-6312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses