Description
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome Android uses GPU for rendering web content. A flaw in the GPU driver caused uninitialized memory to be read during certain rendering operations, allowing a malicious web page to extract data from process memory. The attacker can obtain sensitive information such as cookies, credentials, or other secrets stored in Chrome’s memory, creating an information‑disclosure vulnerability.

Affected Systems

Google Chrome running on Android devices affected by versions prior to 149.0.7827.197. The issue applies to the stable channel release referenced in the 2026‑06 update notes. Devices using earlier Chrome builds are vulnerable.

Risk and Exploitability

An attacker can exploit this remote vulnerability by hosting a crafted HTML page and convincing a user to visit it while Chrome is running. Because the flaw exploits GPU processing, it requires no local execution or elevated privileges; the only prerequisite is that the victim browses a malicious page. The CVE’s CVSS score of 5.3 indicates moderate severity, and although EPSS data is not currently available, the lack of a KEV listing indicates no known public exploits yet. Nevertheless, the ease of delivery via web content and the potential for significant data leakage warrant immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.197 or later
  • Ensure that automatic updates are enabled and install updates as soon as they become available
  • As an interim measure, avoid browsing suspicious websites; disabling hardware acceleration in Chrome settings may reduce exposure, although no official workaround is provided

Generated by OpenCVE AI on June 24, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Thu, 16 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Uninitialized Use in GPU
Weaknesses CWE-824
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 24 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Uninitialized GPU Memory Use Allows Remote Information Disclosure in Chrome Android

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Uninitialized GPU Memory Use Allows Remote Information Disclosure in Chrome Android

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:33:56.488Z

Reserved: 2026-06-23T17:14:10.849Z

Link: CVE-2026-13030

cve-icon Vulnrichment

Updated: 2026-06-24T19:30:40.231Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T18:43:17Z

Links: CVE-2026-13030 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:00:05Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable

  • CWE-824

    Access of Uninitialized Pointer