Description
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome versions prior to 149.0.7827.155, an inadequate implementation in the media subsystem allows a remote attacker to read contents of process memory from a specially crafted HTML page. The exposed data may include sensitive information that a user has loaded or is processing. This flaw is a classic example of information disclosure (CWE‑200).

Affected Systems

The vulnerability affects Google Chrome installations using any version earlier than 149.0.7827.155. Users running these releases are at risk of memory leakage until they update to a fixed build.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The flaw has not been listed in the CISA KEV catalog. Exploitation requires an attacker to entice the victim to open a maliciously crafted webpage in Chrome, leaking memory contents to the attacker. Because the vulnerability is triggered by in-process media handling, the attack vector is likely a remote web‑based intrusion rather than a local privilege escalation.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.155 or later via the official update channel.
  • Ensure that automatic updates are enabled so that the browser receives future security patches without manual intervention.
  • If possible, enable site isolation or sandboxing features in Chrome to isolate media processing from other browsing contexts, thereby limiting the impact of any memory exposure.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:56:34.958Z

Reserved: 2026-06-16T19:38:27.903Z

Link: CVE-2026-12450

cve-icon Vulnrichment

Updated: 2026-06-17T10:52:39.916Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:15:03Z

Weaknesses

No weakness.