Description
Heap buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs in the Skia graphics engine used by Google Chrome. When a specially crafted HTML page is loaded, the overflow can read beyond the bounds of a heap buffer and expose data from the browser process memory. This flaw is classified as CWE‑122 and CWE‑125 and, according to Chromium’s own assessment, it has a medium severity level.

Affected Systems

All users running Google Chrome on the stable channel prior to version 149.0.7827.53 are affected. The vulnerability exists in the Skia code path that Chrome uses and is not limited to any particular operating system.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been documented. Nonetheless, the flaw enables an attacker to read arbitrary memory contents from the browser process, potentially disclosing sensitive information from the victim’s browser session. The likely attack vector is a malicious web page that a user visits; once that page is rendered, the memory leakage can occur with no further interaction.

Generated by OpenCVE AI on June 7, 2026 at 13:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later, which contains a fixed Skia guard
  • Enable automatic updates so that future patches are applied without manual intervention
  • Avoid opening unknown or suspicious HTML pages until a trusted page is confirmed to be safe

Generated by OpenCVE AI on June 7, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Heap buffer overflow in Skia
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in Skia Allows Remote Information Disclosure via Crafted HTML Page

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in Skia Allows Remote Information Disclosure via Crafted HTML Page

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T16:44:02.358Z

Reserved: 2026-06-04T17:06:24.366Z

Link: CVE-2026-10993

cve-icon Vulnrichment

Updated: 2026-06-06T16:43:58.059Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:02.770

Modified: 2026-06-06T17:16:40.953

Link: CVE-2026-10993

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10993 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:00:09Z

Weaknesses