CVE-2026-8545 - Vulnerability Details

- chromium-browser: chromium-browser: Object corruption in Compositing

Description

Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-14

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an object corruption bug within Chrome’s compositing subsystem. When a renderer process has already been compromised, an attacker can craft a malicious HTML page that forces the corrupted object to expose data from other origins, leading to a cross‑origin information leak. Although the flaw does not grant arbitrary code execution, it allows a knowledgeable attacker to read sensitive data that should be isolated by the browser’s same‑origin policy.

Affected Systems

Affected browsers are those running any Chrome build earlier than version 148.0.7778.168. The product is Google Chrome for desktop platforms. Devices that rely on the stable channel were susceptible until the 148.0.7778.168 release.

Risk and Exploitability

The issue carries a low severity rating, with a CVSS score of 3.1, and a very low EPSS score of < 1%. The flaw requires an already compromised renderer process, so the usual attack vector involves prior compromise of user‑origin content or malicious web pages running in the renderer. Updating the browser to a patched version disables the vulnerable compositing path and stops the data leak.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.168`	affected	< 148.0.7778.168

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.168,148.0.7778.168)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.168 or later to apply the compositing fix.
Keep the browser set to the stable channel to automatically receive future security patches.
Verify that the Site Isolation feature is active; this limits the ability of compromised renderer processes to read data from other origins.

Generated by OpenCVE AI on May 15, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6273-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html
https://issues.chromium.org/issues/497486030
https://nvd.nist.gov/vuln/detail/CVE-2026-8545
https://www.cve.org/CVERecord?id=CVE-2026-8545

History

Fri, 15 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Fri, 15 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-284
Metrics	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Fri, 15 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Cross‑Origin Data Leakage via Object Corruption in Chrome Compositing	chromium-browser: chromium-browser: Object corruption in Compositing
Weaknesses		CWE-386
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8545 https://www.cve.org/CVERecord?id=CVE-2026-8545
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}` threat_severity `Important`

Thu, 14 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Origin Data Leakage via Object Corruption in Chrome Compositing
Weaknesses		CWE-200

Thu, 14 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/497486030

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-14T19:52:24.457Z

Updated: 2026-05-15T13:48:12.428Z

Reserved: 2026-05-14T05:40:18.959Z

Link: CVE-2026-8545

Vulnrichment

Updated: 2026-05-15T13:48:08.722Z

NVD

Status : Undergoing Analysis

Published: 2026-05-14T20:17:15.377

Modified: 2026-05-15T15:16:54.973

Link: CVE-2026-8545

Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:24Z

Links: CVE-2026-8545 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T16:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object