Description
Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an insufficient validation of untrusted input in the GPU subsystem of Google Chrome on Windows versions older than 150.0.7871.47. A remote attacker who has already compromised the renderer process can use a crafted HTML page to read sensitive data from that process’s memory, potentially exposing confidential information. The flaw is an input validation weakness (CWE‑20) and is classified as Medium by Chromium security severity.

Affected Systems

The defect affects Google Chrome on Windows browsers running versions prior to 150.0.7871.47. No other vendor or product variations are indicated.

Risk and Exploitability

The flaw carries a medium severity rating with a CVSS score of 5.3. There is no EPSS score available and it is not listed in CISA KEV. Exploitation requires that the attacker already has control of the renderer process; once this is the case the attacker can read that process’s memory via a crafted page. The vulnerability does not provide remote code execution or system‑wide compromise on its own, but it exposes valuable information for further attacks.

Generated by OpenCVE AI on July 1, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later on Windows.
  • If an update cannot be applied immediately, disable GPU acceleration by launching Chrome with the '--disable-gpu' flag or setting the GPU Acceleration option to Off.
  • Deploy content filtering, malware protection, or web reputation services to reduce the chance that the renderer process is compromised by malicious content.

Generated by OpenCVE AI on July 1, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
Title GPU Subsystem Input Validation Leak in Google Chrome on Windows

Wed, 01 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Title GPU Input Validation Flaw in Chrome Enables Remote Memory Information Leakage

Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title GPU Input Validation Flaw in Chrome Enables Remote Memory Information Leakage

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:34:13.189Z

Reserved: 2026-06-29T23:03:39.571Z

Link: CVE-2026-13875

cve-icon Vulnrichment

Updated: 2026-07-01T01:34:09.282Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:30:05Z

Weaknesses
  • CWE-20

    Improper Input Validation