{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6312", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-14T18:12:25.503Z", "datePublished": "2026-04-15T19:04:54.385Z", "dateUpdated": "2026-04-15T19:59:44.768Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.101", "status": "affected", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:54.385Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/498269651"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T19:58:49.979069Z", "id": "CVE-2026-6312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:59:44.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T19:58:49.979069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:59:10.795Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "147.0.7727.101", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/498269651"}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:54.385Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6312", "state": "PUBLISHED", "dateUpdated": "2026-04-15T19:59:44.768Z", "dateReserved": "2026-04-14T18:12:25.503Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-15T19:04:54.385Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-6312", "lastModified": "2026-04-15T20:16:40.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T20:16:40.940", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/498269651"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "Google Chrome: Chromium: Google Chrome: Information disclosure via insufficient policy enforcement in Passwords", "id": "2458807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458807"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-346", "details": ["A flaw was found in Google Chrome's Passwords feature. This vulnerability, caused by insufficient policy enforcement, could allow a remote attacker who has already compromised the browser's renderer process to leak sensitive cross-origin data. This exploitation is achieved by tricking a user into interacting with a specially crafted HTML page, leading to unauthorized information disclosure."], "name": "CVE-2026-6312", "public_date": "2026-04-15T19:04:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6312\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6312\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html\nhttps://issues.chromium.org/issues/498269651"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.101,147.0.7727.101)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T09:23:17.079420+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.101 or newer before the next scheduled release. This patch restores proper policy enforcement and prevents cross\u2011origin data leakage.", "If an update cannot be applied immediately, temporarily disable automatic password saving by clearing the Password Manager setting or accessing chrome://settings/passwords and turning off the option to store passwords. This reduces the attack surface while the vulnerability remains unpatched.", "Run Chrome with extensions disabled (i.e., launch with the command\u2011line flag --disable-extensions) to limit potential renderer compromise until the patch is installed."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011origin data leakage via unprotected password policies"}, "threat_synthesis": {"affected_systems": "Google Chrome installations up to and including version 147.0.7727.100 are affected. Any Chrome user running a build older than 147.0.7727.101 may be vulnerable unless other mitigations are in place.", "description_and_impact": "The vulnerability is an insufficient policy enforcement in the password management component of Google Chrome. A remote attacker who has already compromised the renderer process can craft an HTML page that triggers the leakage of data originating from another domain. The primary consequence is the exposure of sensitive cross\u2011origin information, potentially including credentials stored in the password manager, without providing an attacker direct code execution or denial of service capability. The weakness can be classified as an information exposure flaw.", "risk_and_exploitability": "Chromium labels the issue as low severity with a CVSS base score of 3.1. However, the CVE description rates the issue as high severity. The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation to date. The attack requires that an attacker already holds a foothold in the renderer process, which typically demands a separate compromise such as a malicious extension or a buffer overrun elsewhere. Because the exploit path is non\u2011trivial, the risk is moderate to low for a user with an unpatched browser, but the likelihood of exploitation in the wild remains uncertain."}}}}, "created": "2026-04-15T21:30:13.804920+00:00", "updated": "2026-04-17T09:30:14.470030+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}