Description
Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read in Chrome’s renderer process allows a remote attacker who has already compromised that process to extract potentially sensitive data from process memory through a crafted HTML page. The weakness is a classic array bounds overflow (CWE‑125), which can leak confidential information without altering program state. The victim is limited to the data stored in the renderer’s address space, but this can include session tokens, cookies, or other user data.

Affected Systems

Google Chrome prior to version 148.0.7778.168 is affected. Chrome users running the stable channel or earlier builds may be vulnerable.

Risk and Exploitability

The EPSS score is unavailable, so the likelihood of exploitation cannot be quantified from publicly available data. The CVSS score is 5.3, indicating medium severity. The vulnerability is listed as high on the Chromium security severity scale and is not included in the CISA KEV catalog. Because an attacker must first compromise the renderer process before exploiting the memory read, the attack vector is inferred to require a local or remote compromise of Chrome’s rendering component, typically by delivering malicious web content or exploiting a separate vulnerability. Risk assessment must therefore consider a threat actor capable of controlling or injecting code into Chrome’s renderer activity.

Generated by OpenCVE AI on May 14, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 148.0.7778.168 or later, which includes the patch for the out‑of‑bounds read in the renderer process.
  • If upgrading immediately is not possible, restrict the execution of untrusted web content by using Chrome’s sandbox settings or disabling extensions that interact with the renderer.
  • Maintain Chrome’s automatic update feature and regularly review the Chrome release blog for new security patches.

Generated by OpenCVE AI on May 14, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Out of bounds read in UI
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome Renderer Process Out-of-Bounds Read Enables Memory Disclosure

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Chrome Renderer Process Out-of-Bounds Read Enables Memory Disclosure

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:29:24.470Z

Reserved: 2026-05-14T05:40:17.993Z

Link: CVE-2026-8541

cve-icon Vulnrichment

Updated: 2026-05-14T21:29:19.222Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:14.970

Modified: 2026-05-14T22:16:48.133

Link: CVE-2026-8541

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:23Z

Links: CVE-2026-8541 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T00:00:06Z

Weaknesses