Description
Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow exists in SwiftShader within Google Chrome on Mac and iOS versions prior to 148.0.7778.168. When a specially crafted HTML page is loaded, an attacker can trigger an out‑of‑bounds memory read, exposing confidential data. The vulnerability does not provide code execution capabilities, but it can compromise the confidentiality of information stored in the browser process. The Chromium team has assessed the issue as Medium severity.

Affected Systems

Google Chrome browsers running on macOS or iOS before build 148.0.7778.168 are affected. The flaw resides in the SwiftShader component and is specific to those platform builds.

Risk and Exploitability

Because the vulnerability is triggered by a crafted web page, the attack vector is remote via the browser. No exploits are known and the EPSS score is not available, while the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 4.3 indicates a medium level of risk, suggesting that, while exploitation is possible, it carries moderate risk without additional conditions such as elevated privileges.

Generated by OpenCVE AI on May 15, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.168 or later, which includes the SwiftShader patch.
  • If an update is not immediately possible, disable hardware acceleration or SwiftShader via Chrome flags to reduce the attack surface.
  • Continuously monitor Chrome release notes for security updates and verify that SwiftShader is patched as part of future releases.

Generated by OpenCVE AI on May 15, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Remote Memory Disclosure via SwiftShader Heap Buffer Overflow in Google Chrome

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Remote Memory Disclosure via SwiftShader Heap Buffer Overflow in Google Chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:26:38.113Z

Reserved: 2026-05-14T05:40:22.296Z

Link: CVE-2026-8560

cve-icon Vulnrichment

Updated: 2026-05-14T21:26:33.435Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:18.083

Modified: 2026-05-14T22:16:49.553

Link: CVE-2026-8560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T00:15:16Z

Weaknesses