CVE-2026-12446: Google Chrome Information Disclosure Flaw

CVE-2026-12446 Overview

CVE-2026-12446 affects the Passwords component in Google Chrome prior to version 149.0.7827.155. The flaw stems from an inappropriate implementation that allows a remote attacker to leak cross-origin data through a crafted HTML page. Chromium's security team rated the issue as High severity, while NVD assigned a medium CVSS rating of 4.3. Exploitation requires user interaction, such as visiting a malicious web page, but no authentication is needed. The weakness is categorized under [CWE-863: Incorrect Authorization]. Successful exploitation results in confidentiality impact through cross-origin information disclosure, undermining the same-origin policy that browsers rely on to isolate web content.

Critical Impact
A remote attacker can leak cross-origin data from a victim's browser by luring the user to a crafted HTML page, bypassing same-origin isolation in the Passwords component.

Affected Products

Google Chrome prior to 149.0.7827.155
Chrome desktop on Microsoft Windows
Chrome desktop on Apple macOS and Linux

Discovery Timeline

2026-06-17 - CVE-2026-12446 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12446

Vulnerability Analysis

The vulnerability resides in Chrome's Passwords subsystem, which manages stored credentials and autofill behavior. An inappropriate implementation permits a remote attacker to read data belonging to a different origin than the attacker-controlled page. This breaks the browser's same-origin policy, which is the primary boundary preventing one site from inspecting content or state belonging to another.

The weakness maps to [CWE-863: Incorrect Authorization], indicating that the Passwords component performs an authorization check that does not correctly enforce origin boundaries. Exploitation requires the victim to load attacker-controlled HTML, but no credentials or prior session with the target site are required by the attacker.

EPSS data for this CVE places exploitation probability in the lower tier of public vulnerabilities, and no public proof-of-concept or in-the-wild exploitation has been reported.

Root Cause

The root cause is an authorization or context-checking error in the Passwords feature that allows information tied to one origin to be observed or inferred by another. Such defects typically arise when password-related events, autofill state, or DOM signals are exposed without re-validating the requesting origin against the origin owning the data.

Attack Vector

The attack vector is network-based via a crafted HTML page. An attacker hosts or injects malicious HTML, then induces a victim using a vulnerable Chrome build to visit it. Once loaded, the page triggers the inappropriate Passwords behavior to obtain cross-origin data. Refer to the Chromium Issue Tracker #513313107 for technical specifics as they become public.

No verified exploit code is available. The vulnerability is described in prose by the vendor advisory only.

Detection Methods for CVE-2026-12446

Indicators of Compromise

Chrome desktop clients reporting a version string below 149.0.7827.155 in browser telemetry or asset inventory.
Unexpected outbound HTTP/HTTPS requests from browser processes shortly after users visit unfamiliar third-party sites.
Web traffic to newly registered or low-reputation domains delivering HTML that interacts heavily with password autofill flows.

Detection Strategies

Inventory Chrome installations across Windows, macOS, and Linux endpoints and flag versions earlier than 149.0.7827.155.
Use web proxy or DNS logs to identify users browsing to suspicious pages that attempt cross-origin password or autofill interactions.
Correlate browser version data with phishing or malvertising alerts to prioritize at-risk users.

Monitoring Recommendations

Track Chrome update compliance via endpoint management tooling and alert on stale browser versions.
Monitor for anomalous browser child-process behavior and unusual outbound connections that follow page loads from untrusted origins.
Subscribe to the Google Chrome Desktop Update advisory for follow-on fixes and related disclosures.

How to Mitigate CVE-2026-12446

Immediate Actions Required

Update Google Chrome to version 149.0.7827.155 or later on all Windows, macOS, and Linux endpoints.
Force-restart Chrome after deployment so the patched binary is loaded, since updates apply only after a relaunch.
Prioritize patching for users who handle sensitive credentials, financial data, or administrative web consoles.

Patch Information

Google released the fix in the Stable channel update covered by the Google Chrome Desktop Update advisory. Apply Chrome 149.0.7827.155 or later. Enterprise administrators should distribute the update through standard channels such as Chrome Browser Cloud Management, Group Policy, Jamf, or Intune.

Workarounds

Restrict access to untrusted websites through web filtering or DNS-layer controls until patching completes.
Disable the Chrome password manager and autofill for high-risk users, instructing them to use a vetted third-party password manager.
Enforce browser isolation or remote browser rendering for users who must access untrusted content during the patch window.

bash

# Verify Chrome version on Linux/macOS endpoints
google-chrome --version

# Windows: query installed Chrome version via PowerShell
(Get-Item "$env:ProgramFiles\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion

# Required minimum version: 149.0.7827.155