Description
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a use‑after‑free bug in the Google Lens module of Google Chrome that permits a remote attacker who has already compromised the renderer process to read data from the browser’s process memory. The attacker can craft an HTML page that triggers the vulnerable code, causing the renderer to access freed memory that may contain sensitive information. The weakness is classified as CWE‑416 and CWE‑825.

Affected Systems

Versions of Google Chrome older than 148.0.7778.168 contain the vulnerable implementation of Google Lens. The issue is limited to the desktop Chrome stable channel and is not present in later releases.

Risk and Exploitability

The score of 6.5 on the CVSS base metric indicates moderate severity. Because exploitation requires a compromised renderer process, an attacker would typically need to deliver malicious content through a webpage that achieves that compromise; the EPSS score is unavailable, and the vulnerability is not present in the CISA KEV catalog, implying no publicly known exploits yet. The potential impact is limited to memory disclosure rather than code execution.

Generated by OpenCVE AI on May 15, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.168 or later as soon as possible.
  • Distribute the patch through your organization’s endpoint management system to ensure all endpoints run the fixed browser.
  • Enable Chrome’s Site Isolation and sandboxing features to minimize renderer privileges, reducing the chance that a compromised renderer can access sensitive memory.

Generated by OpenCVE AI on May 15, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in Google Lens
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Google Lens Exposes Renderer Memory to Remote Attackers

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Google Lens Exposes Renderer Memory to Remote Attackers
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:28:12.124Z

Reserved: 2026-05-14T05:40:20.032Z

Link: CVE-2026-8550

cve-icon Vulnrichment

Updated: 2026-05-14T21:28:06.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:15.917

Modified: 2026-05-14T22:16:48.840

Link: CVE-2026-8550

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:26Z

Links: CVE-2026-8550 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:45:16Z

Weaknesses