Description
Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the Dawn rendering engine of Google Chrome, exposed prior to version 148.0.7778.96. A maliciously crafted HTML page can trigger the bug and allow an attacker to read memory contents that belong to another origin, thereby leaking cross‑origin data. The weakness corresponds to CWE‑125, an out‑of‑bounds read, and results in a medium‑severity information‑leak condition.

Affected Systems

The flaw affects all desktop editions of Google Chrome that are older than 148.0.7778.96, regardless of operating system. Any user who opens a malicious page in such a browser could be compromised. No specific authentication or local privilege elevation is required beyond visiting the page.

Risk and Exploitability

The exploit requires only an out‑of‑bounds read triggered by a crafted page; no user interaction beyond opening the page is needed. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the current observed exploitation risk appears low, though the medium CVSS score indicates that the impact is significant if the exploit were to succeed. Administrators should prioritize patching, as the risk outweighs the effort.

Generated by OpenCVE AI on May 7, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later
  • Configure Chrome to block or warn about unknown or untrusted sites, or use an enterprise policy to enforce the minimum version
  • Monitor user activity for unexpected warnings or anomalies that might indicate exploitation attempts

Generated by OpenCVE AI on May 7, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Chrome Dawn Allowing Cross‑Origin Data Leak

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Chrome Dawn Allowing Cross‑Origin Data Leak

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:51:33.891Z

Reserved: 2026-05-05T22:59:27.200Z

Link: CVE-2026-7983

cve-icon Vulnrichment

Updated: 2026-05-06T19:09:04.368Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:49.177

Modified: 2026-05-06T23:21:46.353

Link: CVE-2026-7983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses