Description
Insufficient data validation in Animation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the animation handling code of Google Chrome allows a remote attacker to read sensitive data from the browser’s process memory by serving a specially crafted HTML page. The vulnerability stems from insufficient data validation within the animation subsystem, enabling an attacker to extract information that should be encapsulated. The exposed data could compromise user privacy or aid further attacks, but does not grant arbitrary code execution. The issue is classified as a medium‑severity information disclosure.

Affected Systems

All users running Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability is present in the stable channel and any derived builds of the browser running those legacy versions. Users of older stable releases or custom Chromium builds that do not incorporate the 149.0.7827.53 patch are at risk.

Risk and Exploitability

The attack vector is remote and requires the victim to visit a malicious webpage. The EPSS score of < 1% indicates a very low exploitation probability, and the fact that it is not listed in CISA KEV suggests no known active exploitation. The CVSS score is 6.5, and the Chromium severity is Medium, indicating a moderate confidence that exploitation is feasible but not widespread. Remediation is limited to upgrading the browser; no mitigating configuration change is known.

Generated by OpenCVE AI on June 7, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 149.0.7827.53 or later; update the browser through the official updater.
  • Enable automatic browser updates to ensure future security patches are applied without manual action.
  • Apply an enterprise policy that requires Chrome to run only the patched version or newer, preventing older vulnerable releases from executing.

Generated by OpenCVE AI on June 7, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Animation Data Validation Flaw Enables Remote Information Disclosure chromium-browser: Insufficient data validation in Animation
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 07 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Chrome Animation Data Validation Flaw Enables Remote Information Disclosure

Sun, 07 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Chrome Animation Validation Flaw Enables Process Memory Disclosure
Weaknesses CWE-200

Sat, 06 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Chrome Animation Validation Flaw Enables Process Memory Disclosure
Weaknesses CWE-200

Sat, 06 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Insufficient Data Validation in Chrome Animation Allows Remote Information Disclosure via Crafted HTML Page
Weaknesses CWE-200

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Insufficient Data Validation in Chrome Animation Allows Remote Information Disclosure via Crafted HTML Page
Weaknesses CWE-200

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient data validation in Animation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T16:43:16.464Z

Reserved: 2026-06-04T17:06:24.134Z

Link: CVE-2026-10992

cve-icon Vulnrichment

Updated: 2026-06-06T16:43:01.292Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:02.650

Modified: 2026-06-06T17:16:40.803

Link: CVE-2026-10992

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10992 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:30:04Z

Weaknesses