Description
Heap buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs in the Skia graphics engine that is used by Google Chrome. When a specially crafted HTML page is loaded, the overflow can read beyond the bounds of a heap buffer and expose data from the browser process memory. This flaw is classified as CWE‑122 and, according to Chromium’s own assessment, it has a medium severity level.

Affected Systems

All users running Google Chrome on the stable channel prior to version 149.0.7827.53 are affected. The vulnerability exists in the desktop build of Chrome and does not apply to earlier versions or to Chrome on other platforms that are not using the same Skia code path.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been documented to date. However, because the flaw allows an attacker to read arbitrary memory contents, the potential impact is the disclosure of sensitive information from the victim’s browser session. The likely attack vector is via a malicious web page that a user visits, meaning that the attacker cannot remotely trigger the flaw without the user opening a crafted HTML page, but once that page is opened the memory leakage can occur with no further interaction needed.

Generated by OpenCVE AI on June 5, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later, which contains a fixed Skia stack guard
  • Enable automatic updates so that future patches are applied without manual intervention
  • Avoid opening unknown or suspicious HTML pages until a trusted page is confirmed to be safe

Generated by OpenCVE AI on June 5, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in Skia Allows Remote Information Disclosure via Crafted HTML Page

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:11.916Z

Reserved: 2026-06-04T17:06:24.366Z

Link: CVE-2026-10993

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:02.770

Modified: 2026-06-04T23:17:02.770

Link: CVE-2026-10993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:15:29Z

Weaknesses