Description
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read vulnerability exists in the WebRTC implementation of Google Chrome on Windows. The flaw allows a malicious web page to trigger memory reads beyond the intended bounds of a buffer. When a crafted HTML page is rendered, an attacker could retrieve sensitive data that resides in the same process memory, potentially exposing credentials or other confidential information. The weakness is categorized as CWE‑125 and is rated high by Chromium security.

Affected Systems

The vulnerability affects all Windows installations of Google Chrome running versions earlier than 149.0.7827.155. Any user who has not applied the latest update is exposed, regardless of other installed extensions or operating system patches.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability presents a moderate severity. The EPSS score is reported as less than 1 %, indicating a low probability of exploitation at the time of this analysis, and it is not listed in the CISA KEV catalog. Nonetheless, a remote attacker can exercise the flaw by delivering a malicious HTML document through the browser, typically via a phishing link or compromised website. The attack requires no local privileges and can be performed over the public internet.

Generated by OpenCVE AI on June 17, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Chrome update 149.0.7827.155 or later to eliminate the out‑of‑bounds read.
  • Verify that Windows machines are configured for automatic Chromium updates to receive future patches promptly.
  • As a temporary measure, disable WebRTC networking by setting the "Disable WebRTC" policy or by launching Chrome with the flag "--disable-webrtc" if an update cannot be applied immediately.

Generated by OpenCVE AI on June 17, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:49:23.093Z

Reserved: 2026-06-16T19:38:31.739Z

Link: CVE-2026-12461

cve-icon Vulnrichment

Updated: 2026-06-17T10:49:18.162Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:45:05Z

Weaknesses