Description
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-04-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow exists in Chrome's Skia rendering engine in versions prior to 147.0.7727.101, allowing a remote attacker to read process memory through a specially crafted HTML page. This can expose sensitive data that resides in Chrome's memory, and the vulnerability is classified as critical by Chromium's security team.

Affected Systems

The vulnerability affects Google Chrome browsers on any platform where the version is older than 147.0.7727.101. Users who have not upgraded from earlier releases are potentially exposed.

Risk and Exploitability

The exploit would require the victim to open a malicious website containing the crafted page, so the attack vector is likely remote via HTTP/HTTPS. While the EPSS score is not available and the issue is not listed in CISA's KEV catalog, the CVSS score of 4.3 indicates low severity, and the memory disclosure provides a potential risk, making it a low‑risk exposure for users who visit untrusted sites.

Generated by OpenCVE AI on April 17, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.101 or later to eliminate the buffer overflow.
  • Configure Chrome’s automatic update settings to ensure security patches are applied promptly.
  • Use safe browsing and content filtering to block sites that host malicious HTML content while the update process completes.

Generated by OpenCVE AI on April 17, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6214-1 chromium security update
History

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Heap buffer overflow in Skia
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 15 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-122
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-15T20:25:53.459Z

Reserved: 2026-04-14T18:12:20.155Z

Link: CVE-2026-6298

cve-icon Vulnrichment

Updated: 2026-04-15T20:25:47.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T20:16:38.643

Modified: 2026-04-17T15:41:53.817

Link: CVE-2026-6298

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T00:00:00Z

Links: CVE-2026-6298 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T07:00:08Z

Weaknesses