Description
Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the V8 JavaScript engine’s handling of object lifecycles allowed an attacker to trigger an out‑of‑bounds memory read from a crafted HTML page. The read can expose arbitrary memory contents, potentially leaking sensitive data or facilitating further exploitation. The vulnerability is categorized as a medium‑severity issue by Chromium’s internal scoring.

Affected Systems

Google Chrome versions older than 148.0.7778.96 are affected. Any system running these versions of the browser is vulnerable when displaying malicious HTML content.

Risk and Exploitability

Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, there is currently no known widespread exploitation, although the CVSS score of 4.3 indicates that if exploited it could provide an attacker with data disclosure capabilities. The attack requires a malicious web page rendered by Chrome; once the page is loaded, the out‑of‑bounds read can occur without additional user interaction.

Generated by OpenCVE AI on May 7, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.97 or later, ensuring the V8 fix is applied.
  • Disable or secure the execution of untrusted local HTML files and limit the use of the browser’s developer tools in production environments.
  • Enable Chrome’s safe browsing features and consider restricting access to unknown websites through network or browser policy controls.

Generated by OpenCVE AI on May 7, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Memory Read in V8 via Crafted HTML
Weaknesses CWE-119

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Memory Read in V8 via Crafted HTML
Weaknesses CWE-119

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:58:51.607Z

Reserved: 2026-05-05T22:59:14.246Z

Link: CVE-2026-7936

cve-icon Vulnrichment

Updated: 2026-05-06T19:48:51.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:41.933

Modified: 2026-05-06T23:34:23.097

Link: CVE-2026-7936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:45:16Z

Weaknesses