Description
Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Process Memory Leak
Action: Apply Patch
AI Analysis

Impact

A flaw in Chrome's WebGL implementation allowed a malicious web page to read arbitrary memory from the browser process. This flaw manifests as a buffer read error (CWE‑125) combined with an information‑disclosure weakness (CWE‑200). An attacker could use a crafted HTML page to extract sensitive data such as private application data, session tokens, or other in‑memory secrets, leading to compromise of user confidentiality. The vulnerability does not grant arbitrary code execution but can expose valuable information at the process level.

Affected Systems

Google Chrome on Windows, macOS, Linux, and other major operating systems is affected. All versions earlier than 146.0.7680.178 are vulnerable; newer versions include the fix. The issue applies across desktop browsers on the platforms listed in the CPE data.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as Medium; the EPSS score of less than 1% indicates low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector inferred from the description is remote, requiring the victim to visit a malicious web page. Exploitation would be straightforward for an attacker with access to a victim's browsing session but does not pose a system‑wide compromise risk.

Generated by OpenCVE AI on April 2, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.178 or later and restart the browser
  • Verify the update by checking the browser’s About page or chrome://system
  • If immediate upgrade is not possible, use chrome://flags to disable WebGL until the patch is applied

Generated by OpenCVE AI on April 2, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6192-1 chromium security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in WebGL
First Time appeared Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-125
CWE-200
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Moderate

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-01T14:22:29.934Z

Reserved: 2026-03-31T20:07:16.085Z

Link: CVE-2026-5291

cve-icon Vulnrichment

Updated: 2026-04-01T13:48:03.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T05:16:02.743

Modified: 2026-04-01T16:40:46.130

Link: CVE-2026-5291

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T00:00:00Z

Links: CVE-2026-5291 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:15Z

Weaknesses