Description
Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome on macOS includes an uninitialized variable in its WebML component that can be triggered by a crafted HTML page to read data from the browser’s process memory. The CVE description states that a remote attacker may obtain potentially sensitive information, but it does not explicitly identify which data types might be exposed. The flaw therefore does not provide code execution or privilege escalation; it is limited to memory disclosure.

Affected Systems

All users running Google Chrome on macOS versions earlier than 149.0.7827.53 are affected. Versions on Windows or Linux are not impacted, and later macOS releases of Chrome include the fix.

Risk and Exploitability

The vulnerability can be exploited remotely when a malicious web page is rendered in the browser. The CVSS score for this vulnerability is 6.5, indicating medium severity. Evasion of the attack requires the victim to visit or load the malicious content. The EPSS score is 0.00032, indicating a very low exploitation probability. The CVE is not listed in CISA KEV, indicating no publicly disclosed exploits. The attack path is straightforward for an attacker able to host or embed a malicious site, but the low EPSS suggests a lower immediate exploitation probability.

Generated by OpenCVE AI on June 5, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on macOS to 149.0.7827.53 or later, which includes the WebML fix.
  • Enable Chrome’s automatic update feature or schedule regular update checks to receive future security patches promptly.
  • If an immediate upgrade is not feasible, restrict browsing to trusted sites or use an alternative browser for sensitive activities until the patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in WebML Permitting Remote Memory Disclosure on macOS Chrome

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in WebML Permitting Remote Memory Disclosure on macOS Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:24:01.929Z

Reserved: 2026-06-04T17:06:33.931Z

Link: CVE-2026-11033

cve-icon Vulnrichment

Updated: 2026-06-05T18:22:32.731Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:07.397

Modified: 2026-06-05T19:16:29.673

Link: CVE-2026-11033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:00:05Z

Weaknesses