Description
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from an inappropriate implementation in DevTools within Google Chrome prior to build 149.0.7827.53. After a remote attacker has already compromised the renderer process, a crafted HTML page can trigger DevTools to read arbitrary data from the renderer’s memory. The flaw represents a memory‑safety weakness (CWE‑416) combined with an access‑control weakness (CWE‑497). The leaked data may include session cookies, authentication tokens, or other confidential information, thereby enabling the attacker to exfiltrate sensitive data or impersonate users.

Affected Systems

Google Chrome browsers with versions before 149.0.7827.53 are affected. The issue is confined to the DevTools component of the renderer process and does not propagate to other vendor products or operating systems listed in the CPE set.

Risk and Exploitability

The CVSS score of 9.6 signals a high severity, yet the EPSS score is less than 1% and the vulnerability is not yet in the CISA KEV catalog, indicating a low probability of widespread exploitation. However, the exploit remains feasible for an attacker who can first gain control of the renderer process. Once that prerequisite is satisfied, any malicious HTML page served to the compromised instance can leverage DevTools to read memory, leading to information disclosure. Chrome users exposed to untrusted web content and without strict renderer isolation face a significant risk, even though achieving the initial renderer compromise is a prerequisite.

Generated by OpenCVE AI on June 7, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to build 149.0.7827.53 or later.
  • If updating is delayed, disable DevTools in the browser or configure the browser to restrict DevTools usage to privileged contexts.
  • Implement strict renderer process isolation or restrict its memory permissions, ensuring that a compromised renderer cannot access sensitive memory areas.

Generated by OpenCVE AI on June 7, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title DevTools Memory Read Vulnerability in Google Chrome chromium-browser: Inappropriate implementation in DevTools
Weaknesses CWE-497
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title DevTools Memory Read Vulnerability in Google Chrome

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Info Disclosure via Process Memory Leak in Chrome DevTools
Weaknesses CWE-200

Fri, 05 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Info Disclosure via Process Memory Leak in Chrome DevTools
Weaknesses CWE-200

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T11:45:16.244Z

Reserved: 2026-06-04T17:11:04.352Z

Link: CVE-2026-11250

cve-icon Vulnrichment

Updated: 2026-06-05T11:45:01.937Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:01.483

Modified: 2026-06-05T15:26:26.940

Link: CVE-2026-11250

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11250 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:30:04Z

Weaknesses
  • CWE-416

    Use After Free

  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere