Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13952

CVE-2026-13952: Google Chrome Information Disclosure Flaw

CVE-2026-13952 is an information disclosure vulnerability in Google Chrome's PerformanceAPIs that allows attackers to leak cross-origin data via crafted HTML pages. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-13952 Overview

CVE-2026-13952 affects Google Chrome versions prior to 150.0.7871.47 due to an inappropriate implementation in the browser's Performance APIs. A remote attacker can leak cross-origin data by convincing a user to visit a crafted HTML page. The flaw undermines the same-origin policy that isolates content across web origins.

Google assigned this issue a Chromium security severity of Medium and addressed it in the Stable channel desktop update.

Critical Impact

Cross-origin data disclosure through the Performance APIs allows remote attackers to read information they should not have access to when a victim loads a malicious page.

Affected Products

  • Google Chrome for Desktop prior to 150.0.7871.47
  • Chromium-based browsers embedding the same Performance APIs implementation
  • Any Chrome deployment on Windows, macOS, and Linux prior to the patched Stable build

Discovery Timeline

  • 2026-06-30 - CVE-2026-13952 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-13952

Vulnerability Analysis

The vulnerability resides in Chrome's Performance APIs, a set of interfaces including Performance, PerformanceObserver, and PerformanceResourceTiming used by web pages to measure loading and runtime metrics. The inappropriate implementation causes these APIs to expose measurement data derived from cross-origin resources.

That exposure gives a malicious page visibility into timing or attribute information that the same-origin policy should protect. An attacker can use the leaked signals to infer content, redirect chains, or resource characteristics from other origins the victim is authenticated to.

The issue is tracked in the Chromium project as Chromium Issue 513401808 and was fixed in the Stable channel release documented in the Google Chrome Update Announcement.

Root Cause

Chrome's Performance APIs did not correctly enforce cross-origin restrictions on the data they surface to JavaScript. The associated weakness classification is [CWE-352], reflecting how a malicious origin can trigger requests or observe state that crosses the security boundary. Resource timing entries and related metrics should be redacted or omitted for cross-origin responses lacking a Timing-Allow-Origin header, and this control was not consistently applied.

Attack Vector

Exploitation requires a user to load an attacker-controlled HTML page in a vulnerable Chrome build. The page issues requests to third-party origins and then queries the Performance APIs to read attributes that should be opaque. No authentication or elevated privileges are needed on the attacker's side, but user interaction in the form of visiting the page is required.

The vulnerability does not permit code execution or data modification. Its impact is limited to confidentiality of cross-origin information observable through timing and resource metadata surfaces.

No public proof-of-concept or exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.146%.

Detection Methods for CVE-2026-13952

Indicators of Compromise

  • Browser telemetry showing Chrome versions below 150.0.7871.47 still active in the environment after the patch release date
  • Web proxy or DNS logs recording user navigation to unknown domains hosting HTML pages that issue many cross-origin subresource requests
  • JavaScript inspection revealing heavy use of performance.getEntriesByType('resource') combined with fetches to sensitive third-party origins

Detection Strategies

  • Inventory installed Chrome builds across managed endpoints and flag any version earlier than 150.0.7871.47 for remediation
  • Correlate web gateway logs with endpoint browser versions to identify vulnerable clients accessing untrusted sites
  • Review Content Security Policy reports and referer patterns for pages performing unusual cross-origin resource enumeration

Monitoring Recommendations

  • Enable centralized reporting of Chrome version data through enterprise management policies or endpoint inventory tools
  • Alert on execution of browsers that fall behind the current Stable channel by more than one release cycle
  • Track outbound traffic from browser processes to newly registered or low-reputation domains that could host crafted pages

How to Mitigate CVE-2026-13952

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.47 or later on all Windows, macOS, and Linux endpoints
  • Force-restart Chrome sessions after deploying the update so the patched binary is loaded into memory
  • Verify that Chromium-based browsers and embedded WebView components in the environment have received equivalent fixes from their vendors

Patch Information

Google released the fix in the Stable channel update for desktop, documented in the Google Chrome Update Announcement. The upstream Chromium fix is tracked in Chromium Issue 513401808. Enterprise administrators should deploy the update through Chrome Browser Cloud Management, Group Policy, or their standard software distribution tooling.

Workarounds

  • Restrict browsing to trusted sites using web filtering while the update is being rolled out
  • Enforce Chrome auto-update policies so future browser vulnerabilities are patched without user action
  • Educate users to avoid opening untrusted links, since exploitation requires visiting a crafted HTML page
bash
# Verify installed Chrome version on Linux endpoints
google-chrome --version

# Windows: query the installed version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.