Description
Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient policy enforcement in the Network component of Google Chrome for Android. A crafted HTML page can exploit a compromised renderer process to read data from other origins, enabling a remote attacker to leak cross‑origin confidential information. The primary impact is information disclosure and is classified as Medium severity by Chromium's security team.

Affected Systems

This flaw affects Google Chrome installations on Android devices running any version prior to 148.0.7778.168. The affected component is the Network module within the renderer process. Users of older Android Chrome releases are at risk; newer releases beyond the noted version are presumed fixed.

Risk and Exploitability

The CVSS score is 3.1, a low severity rating, and the EPSS score is less than 1%, indicating a very low probability of exploitation in the wild. The vulnerability requires a remote attacker to have already compromised the renderer process to craft a malicious HTML page; therefore exploitation is limited to situations where the renderer has been subverted, such as via another vulnerability or malicious app. The flaw does not provide arbitrary code execution but allows leaking of cross‑origin data, representing an information disclosure risk.

Generated by OpenCVE AI on May 15, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on all Android devices to the latest stable channel (version 148.0.7778.168 or newer) as released by Google.
  • If an immediate update is not possible, limit access to untrusted sites or enforce strict cross‑origin policies on trusted applications to reduce exposure.
  • Monitor device logs for signs of unauthorized data exfiltration and consider implementing network‑level filtering or a managed device policy that isolates renderer processes.

Generated by OpenCVE AI on May 15, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-285

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Network Policy Enforcement Enables Cross‑Origin Data Leak in Android Chrome chromium-browser: chromium-browser: Insufficient policy enforcement in Network
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Insufficient Network Policy Enforcement Enables Cross‑Origin Data Leak in Android Chrome
Weaknesses CWE-200
CWE-285

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T13:45:57.495Z

Reserved: 2026-05-14T05:40:24.932Z

Link: CVE-2026-8572

cve-icon Vulnrichment

Updated: 2026-05-15T13:45:54.077Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T20:17:19.493

Modified: 2026-05-15T15:16:55.730

Link: CVE-2026-8572

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:33Z

Links: CVE-2026-8572 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:45:04Z

Weaknesses