Description
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
Published: 2026-04-15
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote memory data disclosure
Action: Patch
AI Analysis

Impact

This vulnerability is an out‑of‑bounds read in the Skia graphics subsystem used by Google Chrome. A crafted file can trigger the read and expose data from Chrome’s process memory, enabling an attacker to retrieve potentially sensitive information. The Chromium team rates the severity as Medium.

Affected Systems

Google Chrome versions prior to 147.0.7727.101 on all supported operating systems are affected. The flaw originates in the Skia library, so any installation of Chrome that uses that library is at risk, regardless of the user’s platform.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, yet the medium CVSS severity indicates notable risk. An attacker can exploit this remotely by delivering a malicious file that a user opens; Chrome will then read memory outside the bounds of the image buffer. The exploit requires only that the user view the file and does not depend on elevated privileges, making it accessible through social engineering or phishing. Once the out‑of‑bounds read occurs, an attacker can capture arbitrary data such as cookies or cached credentials stored in memory.

Generated by OpenCVE AI on April 16, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.101 or newer.
  • Restrict opening of untrusted or unknown files that might trigger the exploit.
  • Keep Chrome’s sandboxing and Safe Browsing features enabled to limit exposure.

Generated by OpenCVE AI on April 16, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Chrome Skia Out‑of‑Bounds Read Enables Remote Memory Disclosure

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-15T19:04:59.385Z

Reserved: 2026-04-15T14:28:38.705Z

Link: CVE-2026-6364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:43.910

Modified: 2026-04-15T20:16:43.910

Link: CVE-2026-6364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses