Description
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from insufficient validation of untrusted input in the GPU component of Google Chrome. When an attacker can compromise the renderer process, they can craft a malicious HTML page that triggers a crash, leading to a denial of service. The weakness centers on improper input validation (CWE‑20, CWE‑1173), affecting the availability of the system. The impact is a denial of service that can be triggered remotely once the attacker has compromised the renderer process. It does not expose credentials or data, but it can disrupt user sessions and web content rendering.

Affected Systems

Affected product is Google Chrome for all users running versions prior to 148.0.7778.168. The exact version range is not listed beyond the specified earlier release. No other vendors or products are noted.

Risk and Exploitability

The vulnerability carries a medium severity rating of 5.3 on the CVSS scale. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, indicating no documented widespread exploitation to date. The attack requires that the attacker already has control over the renderer process, which is typically achieved through exploitation of additional local privilege or code‑execution vulnerabilities. Once achieved, the attacker can manipulate a crafted HTML page to cause a crash.

Generated by OpenCVE AI on May 15, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.168 or newer
  • Verify that GPU acceleration is enabled only for trusted content
  • Monitor Chrome update channels for additional patches related to renderer and GPU handling

Generated by OpenCVE AI on May 15, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Insufficient validation of untrusted input in GPU
Weaknesses CWE-1173
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title GPU Input Validation Vulnerability Causing Denial of Service in Chrome

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Thu, 14 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title GPU Input Validation Vulnerability Causing Denial of Service in Chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:30:26.286Z

Reserved: 2026-05-14T05:40:17.244Z

Link: CVE-2026-8538

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:14.650

Modified: 2026-05-14T22:16:47.840

Link: CVE-2026-8538

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:22Z

Links: CVE-2026-8538 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:15:51Z

Weaknesses