Description
Out of bounds read in Media in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform an out of bounds memory read via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google Chrome’s Media module allows a local network attacker to send specially crafted traffic that causes the browser to read memory beyond the intended bounds, exposing sensitive data stored in memory such as passwords or cryptographic keys. This is a classic out‑of‑bounds read weakness, identified as CWE‑125.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 on desktop platforms are vulnerable.

Risk and Exploitability

The CVSS score is 4, classified as Medium in Chromium’s internal severity, with no EPSS score published and no listing in the CISA KEV catalog. Exploitation requires the attacker to be able to inject malicious traffic onto the victim’s local network segment, typically via broadcast or multicast streams. While the exploit does not provide remote code execution, it enables memory disclosure that could reveal privileged information if the attacker observes the victim’s session data. Given the local‑network requirement and lack of publicly known exploits, the likelihood of widespread exploitation is moderate but not negligible.

Generated by OpenCVE AI on June 5, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 149.0.7827.53 or later to receive the vendor patch
  • If an upgrade is delayed, run Chrome with the flag --disable-media-stream to disable the vulnerable Media module until a fix is available
  • Configure firewalls or network segmentation to block or restrict multicast and broadcast traffic that can reach the Chrome process
  • Maintain Chrome at the latest stable release to ensure all security updates are applied

Generated by OpenCVE AI on June 5, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Local Network Media Out‑of‑Bounds Read in Google Chrome

Fri, 05 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 05 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Local Network Media Out‑of‑Bounds Read in Google Chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Media in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform an out of bounds memory read via malicious network traffic. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T10:43:12.700Z

Reserved: 2026-06-04T17:06:25.488Z

Link: CVE-2026-10998

cve-icon Vulnrichment

Updated: 2026-06-05T01:42:10.086Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:03.490

Modified: 2026-06-05T15:02:34.977

Link: CVE-2026-10998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T13:00:14Z

Weaknesses