CVE-2026-10011 - Vulnerability Details

- chromium-browser: Inappropriate implementation in Skia

Description

Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-28

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Google Chrome, an improper implementation in the Skia graphics library allows a remote attacker who has already compromised the renderer process to read cross‑origin data through a cleverly crafted HTML page. The flaw results in unintended exposure of information that should be isolated by the browser’s same‑origin policy, potentially revealing sensitive data to the attacker. The weakness is a classic example of Information Exposure (CWE‑200 and CWE‑346).

Affected Systems

All Google Chrome installations running versions earlier than 148.0.7778.216 are affected. The vulnerability is present in the Skia component of the browser; therefore any machine that uses a pre‑release 148.0.7778.216 Chrome build is susceptible.

Risk and Exploitability

The CVSS score of 3.1 indicates low severity. The EPSS score of 0.00035 points to a very low probability of exploitation, and the lack of a CISA KEV listing suggests it is not yet widespread. The potential impact remains significant for affected sites, but the overall risk to a typical user is low to medium because the vulnerability requires prior compromise of the renderer process, and exploitation appears unlikely. Thus the risk level is consistent with the low CVSS and very low EPSS, and it is unlikely to be a widespread threat in the short term.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 148.0.7778.216 or later.
Enable Chrome’s site isolation and strict sandboxing features to limit the reach of any compromised renderer process.
Monitor browser logs for unexpected renderer crashes or abnormal data access patterns that may indicate exploitation.

Generated by OpenCVE AI on May 29, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/514017326
https://nvd.nist.gov/vuln/detail/CVE-2026-10011
https://www.cve.org/CVERecord?id=CVE-2026-10011

History

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Fri, 29 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Remote Data Leakage via Skia in Google Chrome	chromium-browser: Inappropriate implementation in Skia
Weaknesses		CWE-346
References		https://nvd.nist.gov/vuln/detail/CVE-2026-10011 https://www.cve.org/CVERecord?id=CVE-2026-10011
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}` threat_severity `Important`

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Remote Data Leakage via Skia in Google Chrome
Weaknesses		CWE-200

Thu, 28 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514017326

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:54.357Z

Updated: 2026-05-29T16:40:56.861Z

Reserved: 2026-05-28T17:25:13.831Z

Link: CVE-2026-10011

Vulnrichment

Updated: 2026-05-29T16:40:53.422Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:42.940

Modified: 2026-05-29T18:16:29.937

Link: CVE-2026-10011

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-10011 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T19:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object