Description
Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use of an uninitialized variable in the Dawn rendering engine of Google Chrome, disclosed as a high‑severity issue by Chromium, can cause a remote attacker to read cross‑origin data through a specially crafted HTML page. The flaw does not provide arbitrary code execution, but it leaks confidential information that a victim’s browser may have accessed from another origin. The vulnerability is a classic example of CWE‑457 (Use of Uninitialized Variable).

Affected Systems

All Chrome installations on Windows, macOS, Linux, and Chrome OS that run a version earlier than 149.0.7827.53 are affected. These include both stable channel users and any systems that have not yet applied the latest release, which begins at that version and above.

Risk and Exploitability

The issue is rated high in Chromium’s internal severity. No EPSS score is currently published, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to open a maliciously crafted page, so it depends on user interaction or social‑engineering tactics. Given the lack of known public exploits, the exploitation likelihood is uncertain, but the potential damage of a successful data leak is significant.

Generated by OpenCVE AI on June 5, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later on all affected platforms.
  • If an immediate upgrade is not possible, enforce Chrome’s Safe Browsing or use enterprise URL filtering to block access to sites that may host malicious HTML content.
  • Ensure that all client devices are configured for automatic or frequent updates to receive future security patches in a timely manner.

Generated by OpenCVE AI on June 5, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Uninitialized Variable in Dawn Engine Can Leak Cross‑Origin Data

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:03.092Z

Reserved: 2026-06-04T17:06:19.478Z

Link: CVE-2026-10973

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:00.510

Modified: 2026-06-04T23:17:00.510

Link: CVE-2026-10973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:45:28Z

Weaknesses