Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13986

CVE-2026-13986: Google Chrome XSS Vulnerability

CVE-2026-13986 is an XSS flaw in Google Chrome's Media UI on ChromeOS allowing UI spoofing attacks. This vulnerability affects versions prior to 150.0.7871.47. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-13986 Overview

CVE-2026-13986 is a user interface (UI) spoofing vulnerability in the Media UI component of Google Chrome on ChromeOS. Versions prior to 150.0.7871.47 contain an inappropriate implementation that allows a remote attacker to spoof interface elements via a crafted HTML page. Exploitation requires the victim to perform specific UI gestures, meaning the attack depends on user interaction. The flaw is tracked under [CWE-451] (User Interface Misrepresentation of Critical Information) and carries a Chromium severity rating of Medium.

Critical Impact

A remote attacker who convinces a user to engage in specific UI gestures can spoof media UI elements in Chrome on ChromeOS, enabling deception-based attacks such as phishing or credential harvesting.

Affected Products

  • Google Chrome on ChromeOS prior to version 150.0.7871.47
  • Google ChromeOS devices running vulnerable Chrome builds
  • Chromium-based Media UI component

Discovery Timeline

  • 2026-06-30 - CVE-2026-13986 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-13986

Vulnerability Analysis

The vulnerability resides in the Media UI subsystem of Chrome on ChromeOS. Media UI renders playback controls, notifications, and picture-in-picture surfaces tied to media sessions initiated from web content. An inappropriate implementation permits attacker-controlled HTML to influence how these UI elements render or how they respond to user gestures. The result is a spoofing primitive rather than memory corruption or direct code execution.

User interaction is required. The attacker must lure the victim to a crafted page and induce specific UI gestures for the spoof to trigger. Attack complexity is high because the gesture sequence and page state must align. Confidentiality is not directly impacted, but integrity and availability can degrade if the spoofed UI leads the user to authorize an unintended action.

Root Cause

The root cause is improper separation between untrusted web content and privileged browser chrome within the Media UI rendering path. When the browser presents media session controls or overlays, the crafted page can manipulate presentation state so that the visible interface no longer accurately represents the underlying origin or action. This falls under [CWE-451], where security-relevant information is misrepresented to the user.

Attack Vector

The attacker hosts a crafted HTML page and directs the target to visit it. The page initiates a media session and stages DOM or media element state to influence how ChromeOS renders Media UI overlays. When the user performs the required gesture, such as interacting with a media notification or picture-in-picture control, the spoofed element executes the attacker's intended visual deception. See the Chromium Issue Tracker Entry for component-level references.

No public proof-of-concept, exploit code, or CISA KEV listing is associated with this CVE at the time of publication.

Detection Methods for CVE-2026-13986

Indicators of Compromise

  • Chrome browser processes on ChromeOS reporting a version earlier than 150.0.7871.47 in fleet inventory
  • User reports of unexpected media playback notifications, picture-in-picture windows, or media control overlays tied to unfamiliar origins
  • Web navigation logs showing sustained sessions on untrusted domains that programmatically start media sessions

Detection Strategies

  • Enumerate installed Chrome and ChromeOS builds across managed devices and flag any version below 150.0.7871.47 for remediation
  • Correlate proxy or DNS telemetry with browsing patterns that combine media autoplay with credential entry forms on the same origin
  • Use browser management policies to log media session events and picture-in-picture invocations for post-incident review

Monitoring Recommendations

  • Track Chrome release channel advisories and cross-reference the Google Chrome Stable Update bulletin for downstream ChromeOS updates
  • Monitor endpoint telemetry from managed ChromeOS devices for browser version drift and delayed update posture
  • Review user-reported phishing incidents involving media playback contexts and preserve URLs for threat intelligence enrichment

How to Mitigate CVE-2026-13986

Immediate Actions Required

  • Update Chrome on ChromeOS to version 150.0.7871.47 or later on all managed devices
  • Verify ChromeOS auto-update policies are enabled and not deferred by administrative configuration
  • Communicate user awareness guidance about media notifications and picture-in-picture prompts originating from unfamiliar sites

Patch Information

Google addressed CVE-2026-13986 in Chrome 150.0.7871.47 on the Stable channel. Administrators should consult the Google Chrome Stable Update release notes and validate rollout across ChromeOS fleets using Google Admin console update reports. No configuration change is required beyond applying the fixed build.

Workarounds

  • Restrict browsing to trusted domains via ChromeOS URL blocklists until patches are deployed
  • Disable autoplay and background media session permissions through enterprise policy where operationally acceptable
  • Educate users to verify origin indicators in the address bar before acting on any media playback prompt
bash
# Verify installed Chrome version on ChromeOS via chrome://version or CLI
# Example: query Google Admin API for device Chrome versions
gcloud alpha chromeos devices list --format="table(deviceId,osVersion,platformVersion)" \
  | awk '$3 < "150.0.7871.47" {print $0}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.