CVE-2026-14034 in Chromeinfo

Summary

by MITRE • 07/01/2026

Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability under discussion represents an inadequate implementation flaw within Google Chrome's WebXR functionality on Android platforms, specifically affecting versions prior to 150.0.7871.47. This issue stems from insufficient validation mechanisms that govern navigation restrictions within the WebXR environment, creating a potential security gap that malicious actors can exploit through carefully crafted HTML pages. The flaw resides in how Chrome processes and enforces navigation boundaries when WebXR applications are loaded, allowing unauthorized access to restricted browsing contexts.

WebXR technology enables immersive experiences through virtual and augmented reality interfaces directly within web browsers, requiring strict security controls to prevent unauthorized navigation and content access. When navigation restrictions are improperly enforced, attackers can manipulate the browser's navigation flow to redirect users to unintended destinations or access restricted content that should remain protected. The vulnerability manifests when a malicious HTML page leverages specific WebXR API behaviors to bypass established security boundaries, effectively circumventing the intended protection mechanisms.

This security weakness operates at the intersection of web application security and immersive technology implementation, with potential operational impacts extending beyond simple navigation bypasses. Attackers could exploit this flaw to redirect users to phishing sites, deliver malicious content, or gain access to restricted network resources that should be protected from WebXR applications. The low severity classification indicates that while the vulnerability does not directly enable privilege escalation or data theft, it creates a pathway for potentially harmful navigation redirections that could lead to broader security incidents.

The technical implementation issues align with common CWE categories related to security misconfigurations and inadequate input validation within web browser environments. This flaw demonstrates how complex web APIs can introduce unexpected security vectors when proper boundary enforcement mechanisms are not adequately implemented. From an ATT&CK framework perspective, this vulnerability maps to techniques involving initial access through malicious content delivery and privilege escalation through navigation manipulation, though the specific impact remains limited in scope.

Organizations should immediately update Chrome browsers on affected Android devices to version 150.0.7871.47 or later to address this vulnerability. System administrators should also monitor for any suspicious navigation patterns or unauthorized redirects that might indicate exploitation attempts. Additional mitigations include implementing network-level controls to restrict access to potentially malicious websites and conducting regular security assessments of WebXR-enabled applications. The vulnerability serves as a reminder of the importance of thorough security testing for complex web APIs and the need for robust boundary enforcement mechanisms in immersive technology implementations.

Responsible

Chrome

Reservation

06/30/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!