PatchSiren cyber security CVE debrief
CVE-2026-12438 Google CVE debrief
CVE-2026-12438 is a Critical vulnerability in Google Chrome's WebView on Android prior to version 149.0.7827.155. This vulnerability allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The Chromium security severity of this vulnerability is Critical, with a CVSS score of 8.3 and a HIGH severity rating. The vulnerability affects users of Google Chrome on Android. To protect themselves, users should ensure they are running version 149.0.7827.155 or later of Google Chrome.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
This vulnerability affects users of Google Chrome on Android. To protect themselves, users should ensure they are running version 149.0.7827.155 or later of Google Chrome. Additionally, administrators should review and update software dependencies to ensure that they are current and secure, and consider implementing additional security controls, such as network segmentation or access controls, to limit the potential impact of a successful exploit.
Technical summary
The vulnerability is caused by an inappropriate implementation in WebView in Google Chrome on Android prior to version 149.0.7827.155. This allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The Chromium security severity of this vulnerability is Critical, with a CVSS score of 8.3 and a HIGH severity rating. The vulnerability affects Google Chrome on Android, and users should ensure they are running version 149.0.7827.155 or later to protect themselves.
Defensive priority
High
Recommended defensive actions
- Apply the official patch by updating Google Chrome to version 149.0.7827.155 or later.
- Ensure that Google Chrome is configured to automatically update to the latest version.
- Monitor Google Chrome for any suspicious activity, such as unexpected changes to settings or unusual network requests.
- Consider implementing additional security controls, such as network segmentation or access controls, to limit the potential impact of a successful exploit.
- Regularly review and update software dependencies to ensure that they are current and secure.
Evidence notes
The CVE record was published on 2026-06-17T13:19:58.980Z and was last modified on 2026-06-18T13:47:39.107Z. The NVD entry is currently Analyzed. The vulnerability is caused by an inappropriate implementation in WebView in Google Chrome on Android prior to version 149.0.7827.155. This allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The Chromium security severity of this vulnerability is Critical, with a CVSS score of 8.3 and a HIGH severity rating.
Official resources
-
CVE-2026-12438 CVE record
CVE.org
-
CVE-2026-12438 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:19:58.980Z and has not been modified since then. The NVD entry is currently Analyzed.