CVE-2026-12448 Google CVE debrief

Who should care

This vulnerability affects users of Google Chrome on Android. Organizations and individuals using Chrome on Android should update to the latest version to mitigate this vulnerability. Additionally, security teams and IT administrators responsible for managing Chrome deployments should be aware of this issue and take necessary actions to protect their environments.

Technical summary

The vulnerability is caused by an inappropriate implementation in WebView in Google Chrome on Android prior to version 149.0.7827.155. This allows a remote attacker to perform privilege escalation via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high level of severity. The weakness associated with this vulnerability is CWE-269.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome on Android to version 149.0.7827.155 or later
• Ensure that Chrome is configured to automatically update to the latest version
• Monitor Chrome deployments for any signs of exploitation
• Implement additional security measures, such as network segmentation and access controls, to limit the impact of a potential exploit
• Conduct regular security audits and vulnerability assessments to identify and address potential vulnerabilities
• Provide training and awareness programs for users on safe browsing practices and the importance of keeping software up to date

Evidence notes

The information provided is based on the CVE record and NVD details. The CVE record was publicly disclosed on June 17, 2026, and the CVE record was last modified on June 18, 2026. The vendor, Google, has provided references to additional information, including a stable channel update for desktop and an issue tracker entry.

Official resources