Description
Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome’s Paint module processes pixel data from rendered web pages. A flaw in how the component accesses memory allowed a specially crafted HTML page to cause the driver to expose adjacent memory through a side‑channel, leaking data from other origins. The vulnerability hinges on a failure to isolate paint operations, leading to cross‑origin information exposure.

Affected Systems

Chrome versions earlier than 150.0.7871.47 on any operating system are affected, regardless of the user’s permissions. The issue is triggered only when the victim opens a malicious HTML page in the browser.

Risk and Exploitability

A remote attacker can exploit the flaw by delivering a crafted page via a website or email. The attack vector is surface‑level: the victim need only load a page. While no EPSS score is published and the flaw is not listed in CISA’s KEV catalog, the Chromium severity rating of Medium and the potential to compromise confidentiality make the risk moderate. No additional exploitation prerequisites are required beyond this page view.

Generated by OpenCVE AI on July 1, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later, which contains the necessary memory‑access fixes.
  • Enable Site Isolation in Chrome to further separate rendering processes and limit cross‑origin access.
  • Apply Content Security Policy rules or restrict trusted sites to reduce the chance that malicious HTML will be displayed to users.

Generated by OpenCVE AI on July 1, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Paint Rendering Side‑Channel

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-1300
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:22.529Z

Reserved: 2026-06-29T23:03:52.858Z

Link: CVE-2026-13922

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-1300

    Improper Protection of Physical Side Channels