Description
Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the Skia graphics library used by Google Chrome on macOS. When triggered, it allows a malicious renderer process to read memory beyond a buffer and disclose cross‑origin data. The weakness is a classic CWE‑125 flaw leading to confidentiality compromise of information that should be protected by the same‑origin policy.

Affected Systems

Google Chrome (Chromium) released for macOS before version 150.0.7871.47 is affected. Any Chrome build older than this may allow the exploit if an attacker can compromise the renderer process.

Risk and Exploitability

Chromium classifies the issue as High severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to first compromise the renderer process, which is a prerequisite for the out‑of‑bounds read. Therefore, while the potential impact is significant, the likelihood is limited to scenarios where the renderer is already subverted.

Generated by OpenCVE AI on July 1, 2026 at 01:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on all macOS machines to version 150.0.7871.47 or later to apply the Skia fix.
  • Ensure that macOS is running the latest security updates and that System Integrity Protection and Gatekeeper are enabled to limit the privileges of renderer processes.
  • Configure Chrome’s security policies or use endpoint protection to monitor for anomalous memory reads or crashes in renderer processes, and investigate any suspicious activity promptly.

Generated by OpenCVE AI on July 1, 2026 at 01:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Skia Enables Remote Data Leak on macOS

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:45.180Z

Reserved: 2026-06-29T23:03:25.707Z

Link: CVE-2026-13820

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses