Description
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uninitialized variable in the GPU code path of Google Chrome for Android. A crafted HTML page can trigger the bug, causing the browser to read memory that belongs to another origin. This results in a confidentiality breach, potentially exposing sensitive information from other websites that the user has visited. The underlying weakness is a 457 use‑of‑uninitialized‑variable flaw.

Affected Systems

All users of Google Chrome for Android with a version earlier than 149.0.7827.155 are potentially affected. It is inferred from the advisory that the issue is unique to the Android build and does not impact Chrome on desktop or other Google products.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploitation. The likely attack vector requires an attacker to host a malicious HTML page and have the victim open it in Chrome for Android. No public exploits have been reported. It is inferred that the patch is included in the stable channel update released in June 2026. The risk remains moderate due to the moderate score and low exploitation probability.

Generated by OpenCVE AI on June 18, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.155 or newer to apply the fix (inferred from the update advisory).
  • In managed environments, push the latest Chrome release through device management to all user devices.
  • Enable Chrome’s auto‑update feature to ensure future vulnerabilities are patched automatically.

Generated by OpenCVE AI on June 18, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Chrome for Android: Uninitialized GPU Variable Enables Cross‑Origin Data Leakage

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:58:36.490Z

Reserved: 2026-06-16T19:38:34.520Z

Link: CVE-2026-12469

cve-icon Vulnrichment

Updated: 2026-06-17T10:58:32.535Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:45:03Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable