VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 20, 2014· Updated May 6, 2026

CVE-2014-3159

CVE-2014-3159

Description

Google Chrome on Android before 36.0.1985.122 fails to restrict URL loading in OpenURLFromTab, enabling Omnibox spoofing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Google Chrome on Android before 36.0.1985.122 fails to restrict URL loading in OpenURLFromTab, enabling Omnibox spoofing.

Vulnerability

The vulnerability resides in the WebContentsDelegateAndroid::OpenURLFromTab function within components/web_contents_delegate_android/web_contents_delegate_android.cc. In Google Chrome for Android prior to version 36.0.1985.122, this function does not properly restrict URL loading. This allows a remote attacker to spoof the URL displayed in the Omnibox (address bar) through unspecified vectors, breaking the URL integrity that users rely on for security.

Exploitation

An attacker can exploit this issue by crafting a web page or link that, when visited by a victim using an affected Chrome version on Android, triggers the URL spoofing condition. The exact sequence of steps is not detailed in available references, but the attack does not require any special privileges beyond network access to deliver the malicious content to the victim's browser.

Impact

Successful exploitation enables an attacker to display a fake URL in the Omnibox, making it appear as if the user is visiting a legitimate site when they are actually on a malicious one. This undermines the user's trust and can be leveraged to steal sensitive information or perform phishing attacks.

Mitigation

Google addressed this vulnerability in Chrome version 36.0.1985.122 for Android, released around July 2014. Users should ensure their Chrome browser is updated to at least this version. No workarounds or KEV listing (as of known public writing) are documented; the only mitigation is applying the update.

[1]

References
  1. src.chromium.org SVN

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

101
  • Google/Chrome101 versions
    cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*+ 100 more
    • cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*range: <=36.0.1985.106
    • cpe:2.3:a:google:chrome:36.0.1985.1:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.100:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.101:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.102:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.103:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.104:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.105:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.12:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.13:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.14:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.15:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.16:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.17:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.18:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.19:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.2:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.20:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.21:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.22:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.23:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.24:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.25:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.26:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.27:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.28:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.29:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.3:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.30:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.31:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.32:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.33:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.34:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.35:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.36:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.37:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.38:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.39:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.4:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.40:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.41:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.42:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.43:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.44:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.45:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.46:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.47:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.48:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.49:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.5:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.50:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.51:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.52:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.53:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.54:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.55:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.56:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.57:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.58:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.59:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.6:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.60:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.61:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.62:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.63:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.64:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.65:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.66:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.67:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.68:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.69:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.70:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.72:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.73:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.74:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.75:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.76:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.77:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.78:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.79:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.8:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.81:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.82:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.83:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.84:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.85:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.86:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.87:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.88:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.89:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.90:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.91:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.92:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.93:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.94:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.95:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.96:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.97:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.98:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:36.0.1985.99:*:*:*:*:*:*:*
    • (no CPE)range: < 36.0.1985.122

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.