Description
Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow bug in Skia on Windows allows a remote attacker, who has already compromised the renderer process, to write data outside the bounds of a buffer. This out-of-bounds memory write can corrupt memory in the renderer process, potentially affecting the stability and integrity of the browser. The flaw is associated with both CWE-190 (Integer Overflow or Wraparound) and CWE-472 (Buffer Access with Weaker Check on Size).

Affected Systems

Google Chrome for Windows versions earlier than 148.0.7778.168 are affected.

Risk and Exploitability

The vulnerability is marked as critical by Chromium, with a CVSS score of 7.5, indicating a high‑impact outcome if exploited. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker has already gained control of the renderer process, which limits the attack surface but still permits an out‑of‑bounds write that could compromise the process. The risk remains high for systems running the vulnerable versions.

Generated by OpenCVE AI on May 15, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release 148.0.7778.168 or newer.
  • Ensure your Chrome installation is from the stable channel; do not use beta or dev channels that may contain older versions.
  • If an immediate update is not possible, start Chrome with the --disable-gpu flag or disable hardware acceleration in Settings to reduce Skia usage, thereby mitigating the risk until a patch can be applied.

Generated by OpenCVE AI on May 15, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Integer overflow in Skia
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 15 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Skia Integer Overflow Allowing Out‑of‑Bounds Write in Chrome on Windows

Thu, 14 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Skia Integer Overflow Allowing Out‑of‑Bounds Write in Chrome on Windows

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:57:26.849Z

Reserved: 2026-05-14T05:40:10.193Z

Link: CVE-2026-8510

cve-icon Vulnrichment

Updated: 2026-05-14T21:33:17.032Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:11.577

Modified: 2026-05-14T22:16:45.277

Link: CVE-2026-8510

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-14T19:52:10Z

Links: CVE-2026-8510 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:30:45Z

Weaknesses