CVE-2026-13989: Insufficient policy enforcement in Google Chrome
CVE-2026-13989 is a medium severity vulnerability in Google Chrome prior to version 150.0.7871.47. It involves insufficient policy enforcement in the PageInfo component, allowing a remote attacker who has compromised the renderer process to perform UI spoofing via a crafted HTML page. This vulnerability could mislead users by displaying deceptive interface elements. No CVSS score is provided for this issue.
AI Analysis
Technical Summary
The vulnerability CVE-2026-13989 affects Google Chrome versions before 150.0.7871.47. It stems from an inappropriate implementation in the PageInfo feature, which fails to enforce policies correctly. This flaw enables a remote attacker with control over the renderer process to conduct UI spoofing attacks by crafting malicious HTML content. The issue is categorized with medium severity by Chromium security. There is no explicit vendor advisory detail on patch availability or remediation level beyond the version indication and a vendor blog link.
Potential Impact
A remote attacker who has already compromised the renderer process can exploit this vulnerability to perform UI spoofing. This may cause users to be deceived by falsified interface elements, potentially leading to further exploitation or user trust compromise. The impact is limited to UI spoofing and requires prior renderer compromise, reducing the overall severity.
Mitigation Recommendations
The vulnerability is addressed in Google Chrome version 150.0.7871.47. Users and administrators should update to this version or later to remediate the issue. No additional mitigation guidance or temporary fixes are provided by the vendor. Patch status is not explicitly confirmed in the advisory, but the affected version suggests the fix is included in 150.0.7871.47. Refer to the official Google Chrome stable channel update blog for confirmation and update instructions.
CVE-2026-13989: Insufficient policy enforcement in Google Chrome
Description
CVE-2026-13989 is a medium severity vulnerability in Google Chrome prior to version 150.0.7871.47. It involves insufficient policy enforcement in the PageInfo component, allowing a remote attacker who has compromised the renderer process to perform UI spoofing via a crafted HTML page. This vulnerability could mislead users by displaying deceptive interface elements. No CVSS score is provided for this issue.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-13989 affects Google Chrome versions before 150.0.7871.47. It stems from an inappropriate implementation in the PageInfo feature, which fails to enforce policies correctly. This flaw enables a remote attacker with control over the renderer process to conduct UI spoofing attacks by crafting malicious HTML content. The issue is categorized with medium severity by Chromium security. There is no explicit vendor advisory detail on patch availability or remediation level beyond the version indication and a vendor blog link.
Potential Impact
A remote attacker who has already compromised the renderer process can exploit this vulnerability to perform UI spoofing. This may cause users to be deceived by falsified interface elements, potentially leading to further exploitation or user trust compromise. The impact is limited to UI spoofing and requires prior renderer compromise, reducing the overall severity.
Mitigation Recommendations
The vulnerability is addressed in Google Chrome version 150.0.7871.47. Users and administrators should update to this version or later to remediate the issue. No additional mitigation guidance or temporary fixes are provided by the vendor. Patch status is not explicitly confirmed in the advisory, but the affected version suggests the fix is included in 150.0.7871.47. Refer to the official Google Chrome stable channel update blog for confirmation and update instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Chrome
- Date Reserved
- 2026-06-29T23:04:11.601Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","vendor":"Google"}]
Threat ID: 6a444c2727e9c7971985cf92
Added to database: 06/30/2026, 23:07:19 UTC
Last enriched: 07/01/2026, 02:23:26 UTC
Last updated: 07/01/2026, 02:23:26 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.