Description
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an uninitialized use in the GPU component of Google Chrome; a remote attacker who has already compromised a renderer process can read sensitive data from process memory when a crafted HTML page is loaded, and the flaw is identified as CWE-457 and CWE-824. The impact is information disclosure that could potentially reveal confidential data to the attacker.

Affected Systems

Google Chrome versions prior to 149.0.7827.197 are affected. This includes all stable channel releases before that build number.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating medium severity, and an EPSS score of 0.00186 (less than 1%), indicating a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a remote web page that the user loads while the compromised renderer process is running; the attacker can then gather memory contents. No official workaround is provided, so the primary mitigation is to update the browser to the fixed version.

Generated by OpenCVE AI on June 29, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later as released by Google.
  • If an immediate update is not possible, configure Chrome to automatically update or use enterprise update policies to receive the patch as soon as it is available.
  • Disable hardware acceleration in Chrome settings to reduce GPU usage until the patch is applied, which may mitigate exploitation risk for the interim.

Generated by OpenCVE AI on June 29, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Uninitialized Use in GPU
Weaknesses CWE-824
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Uninitialized GPU Memory Use Enables Remote Information Disclosure

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Uninitialized GPU Memory Use Enables Remote Information Disclosure

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:28:29.512Z

Reserved: 2026-06-23T17:14:08.528Z

Link: CVE-2026-13023

cve-icon Vulnrichment

Updated: 2026-06-24T19:28:06.376Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T18:43:15Z

Links: CVE-2026-13023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable

  • CWE-824

    Access of Uninitialized Pointer