Description
Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An uninitialized memory use was discovered in the Skia graphics library that ships with Google Chrome. When a crafted HTML page is displayed, the browser may read garbage or data belonging to another origin. The attacker can therefore exfiltrate sensitive information from the victim’s browser environment. The weakness is a classic instance of Use of Uninitialized Variable (CWE‑457) and also relates to CWE‑824, both of which can lead to serious confidentiality violations.

Affected Systems

Google Chrome browsers running any version earlier than 149.0.7827.53 are vulnerable. The issue affects all platforms that ship this Chrome version and any user who can visit a maliciously constructed web page.

Risk and Exploitability

Because the flaw is triggered by a web page, a remote attacker can exploit it simply by embedding the offending code in a malicious site or email attachment. Chromium's security severity is Medium, indicating the potential for cross‑origin data exposure, but the EPSS score of < 1% and the fact that the vulnerability is not listed in CISA's KEV catalog suggest that exploitation is not yet widespread. Nonetheless, the straightforward action of loading a crafted page makes the vulnerability both easy to reach and potentially impactful.

Generated by OpenCVE AI on June 7, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later on all affected machines.
  • If the update cannot be applied immediately, disable GPU acceleration in Chrome to reduce Skia's influence as a temporary mitigation.
  • Employ centralized update management (e.g., Chrome Management or Admin console) to roll out the patched version as soon as possible.

Generated by OpenCVE AI on June 7, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Uninitialized Use in Skia
Weaknesses CWE-824
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in Skia Allows Cross‑Origin Data Leaks

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in Skia Allows Cross‑Origin Data Leaks

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-457
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T17:38:04.894Z

Reserved: 2026-06-04T17:10:33.574Z

Link: CVE-2026-11159

cve-icon Vulnrichment

Updated: 2026-06-05T17:37:43.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:22.437

Modified: 2026-06-08T14:40:35.373

Link: CVE-2026-11159

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11159 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:00:13Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable

  • CWE-824

    Access of Uninitialized Pointer