Chrome Android WebView PrivEsc via crafted HTML (before 149.0.7827.155)
CVE-2026-12448 Published on June 17, 2026

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

NVD

Vulnerability Analysis

CVE-2026-12448 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Products Associated with CVE-2026-12448

Want to know whenever a new CVE is published for Google Chrome? stack.watch will email you.

Google Chrome

Affected Versions

Google Chrome:

Version 149.0.7827.155 and below 149.0.7827.155 is affected.

Chrome Android WebView PrivEsc via crafted HTML (before 149.0.7827.155)CVE-2026-12448 Published on June 17, 2026

Vulnerability Analysis

Weakness Type

Improper Privilege Management

Products Associated with CVE-2026-12448

Affected Versions

Chrome Android WebView PrivEsc via crafted HTML (before 149.0.7827.155)
CVE-2026-12448 Published on June 17, 2026