Description
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the DevTools implementation of Google Chrome. Prior to version 149.0.7827.53, a malicious Chrome extension could craft a request that allows read access to process memory of the Chrome browser process. This can expose potentially sensitive information such as authentication tokens, passwords or personal data that reside in memory. The weakness is a form of information disclosure due to inadequate access controls on DevTools memory‑read operations.

Affected Systems

Google Chrome browsers running any Chrome version prior to 149.0.7827.53 are affected. The issue was fixed in Chrome 149.0.7827.53 and later releases.

Risk and Exploitability

The exploit requires a user to install a compromised extension, so the attack vector is user-mediated. The CVSS base score is not published in the data, but the Chromium security severity is listed as Low. EPSS is not available and the vulnerability is not in CISA’s KEV catalog. Because the attack depends on user interaction, the likelihood of exploitation is limited, but any user who installs a malicious extension could inadvertently expose sensitive data.

Generated by OpenCVE AI on June 5, 2026 at 00:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Disable or uninstall any untrusted or suspicious Chrome extensions, especially those that request broad permissions.
  • Monitor for extensions that attempt to access DevTools APIs and review permission requests to ensure they are needed.

Generated by OpenCVE AI on June 5, 2026 at 00:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Information Disclosure via Malicious Extension
Weaknesses CWE-200

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:56.822Z

Reserved: 2026-06-04T17:10:59.877Z

Link: CVE-2026-11238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:16:59.920

Modified: 2026-06-05T00:16:59.920

Link: CVE-2026-11238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:15:15Z

Weaknesses