Description
Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An object lifecycle flaw in Chrome’s Dawn rendering engine allows a maliciously crafted web page to read sensitive data from the browser’s process memory. The vulnerability is a memory disclosure issue that would let a remote attacker gain access to potentially confidential information without the need for advanced privileges. Severity is assessed as medium, suggesting a significant but not critical impact on confidentiality if exploited.

Affected Systems

Google Chrome versions earlier than 148.0.7778.168 are vulnerable. The issue arises in the Dawn component used by Chrome’s rendering pipeline.

Risk and Exploitability

The exploit can be triggered from any remote web page, so the attack vector is remote. The EPSS score of <1% indicates a very low probability of exploitation in the wild. No active exploits are publicly documented. The vulnerability is not listed in the CISA KEV catalog. Given the medium severity and the remote nature of the vulnerability, organizations with unpatched browsers should consider this a priority to mitigate.

Generated by OpenCVE AI on May 15, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.168 or later
  • Rely on the browser’s built‑in sandbox to limit exposure while the patch is pending
  • If an immediate update is not possible, use isolated virtual machines or browser profiles that restrict access to local HTML files

Generated by OpenCVE AI on May 15, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Object Lifecycle Bug in Chrome Dawn Allows Remote Memory Disclosure via Crafted Web Page chromium-browser: chromium-browser: Object lifecycle issue in Dawn
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 15 May 2026 02:45:00 +0000

Type Values Removed Values Added
Title Object Lifecycle Bug in Chrome Dawn Allows Remote Memory Disclosure via Crafted Web Page

Fri, 15 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Memory Disclosure via Object Lifecycle Mismanagement in Chrome's Dawn Engine
Weaknesses CWE-200
CWE-416

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Memory Disclosure via Object Lifecycle Mismanagement in Chrome's Dawn Engine
First Time appeared Google
Google chrome
Weaknesses CWE-200
CWE-416
CWE-664
Vendors & Products Google
Google chrome
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:22:22.262Z

Reserved: 2026-05-14T05:40:27.289Z

Link: CVE-2026-8582

cve-icon Vulnrichment

Updated: 2026-05-14T21:22:19.520Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:20.600

Modified: 2026-05-14T22:16:51.220

Link: CVE-2026-8582

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:43Z

Links: CVE-2026-8582 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T15:00:14Z

Weaknesses