Description
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome Android uses GPU for rendering web content. A flaw in the GPU driver caused uninitialized memory to be read during certain rendering operations, allowing a malicious web page to extract data from process memory. The attacker can obtain sensitive information such as cookies, credentials, or other secrets stored in Chrome's memory, creating a high‑severity information‑disclosure vulnerability.

Affected Systems

Google Chrome running on Android devices affected by versions prior to 149.0.7827.197. The issue applies to the stable channel release referenced in the 2026‑06 update notes. Devices using earlier Chrome builds are vulnerable.

Risk and Exploitability

An attacker can exploit this remote vulnerability by hosting a crafted HTML page and convincing a user to visit it while Chrome is running. Because the flaw exploits GPU processing, it requires no local execution or elevated privileges; the only prerequisite is that the victim browses a malicious page. The CVE is listed as high severity, and although EPSS data is not currently available, the lack of a KEV listing indicates no known public exploits yet. Nevertheless, the ease of delivery via web content and the potential for significant data leakage warrant immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later
  • Ensure that automatic updates are enabled and install updates as soon as they become available
  • As an interim measure, avoid browsing suspicious websites; disabling hardware acceleration in Chrome settings may reduce exposure, although no official workaround is provided

Generated by OpenCVE AI on June 24, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Uninitialized GPU Memory Use Allows Remote Information Disclosure in Chrome Android

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:33:56.488Z

Reserved: 2026-06-23T17:14:10.849Z

Link: CVE-2026-13030

cve-icon Vulnrichment

Updated: 2026-06-24T19:30:40.231Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable