CVE-2026-12460 Google CVE debrief

Who should care

Users of Google Chrome prior to version 149.0.7827.155, IT administrators responsible for managing Google Chrome installations, and security teams monitoring for potential threats.

Technical summary

The vulnerability, CVE-2026-12460, is caused by insufficient policy enforcement in File System Access in Google Chrome. A remote attacker who has compromised the renderer process can exploit this vulnerability by providing a crafted PDF file, allowing them to bypass site isolation. This issue was resolved in Google Chrome version 149.0.7827.155. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 4.2, with a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to version 149.0.7827.155 or later
• Ensure all users are running the latest version of Google Chrome
• Monitor for suspicious PDF files or unusual activity
• Implement additional security measures such as site isolation and sandboxing
• Regularly review and update browser extensions and plugins
• Consider implementing a vulnerability management program
• Review and update incident response plans to address potential exploitation

Evidence notes

This vulnerability was publicly disclosed on June 17, 2026, and was addressed in Google Chrome version 149.0.7827.155. The CVE record and NVD detail provide additional information on this vulnerability.

Official resources