Description
Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-20
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds read occurs in the GPU rendering engine of Google Chrome prior to version 148.0.7778.179. The flaw can lead to heap corruption when a specially crafted HTML page is rendered. This vulnerability is identified as CWE‑125 and, if successfully exploited, could allow an attacker to alter memory contents and potentially execute arbitrary code or interrupt normal execution flow. The official severity noted by Chromium is Medium, indicating that while exploitation is not trivial, the resulting impact could be significant.

Affected Systems

The affected vendor is Google and the product is Chrome. All Chrome installations with a build prior to 148.0.7778.179 are at risk. No specific operating system limitation is indicated, so users on any platform running an unsupported Chrome build may be vulnerable.

Risk and Exploitability

The attack vector is inferred to be remote, exploiting the vulnerability through a crafted webpage that a user opens or visits. Because the flaw involves heap corruption, an attacker would need to trigger a render of the malicious content. The CVSS score of 8.8 indicates high severity, and although the EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting limited confirmed exploitation. The Chromium severity rating of Medium reflects a moderate likelihood of exploitation if the user visits compromised sites or opens harmful payloads.

Generated by OpenCVE AI on May 20, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.179 or later, which contains the fix for the GPU out‑of‑bounds read.
  • Ensure that the browser’s security settings are configured for safe browsing and that users do not open untrusted web pages or download content from unknown sources.
  • As a temporary measure, disable hardware‑accelerated GPU rendering via Chrome’s flags or policy to reduce the chance of heap corruption while awaiting an official patch.

Generated by OpenCVE AI on May 20, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in GPU Rendering Engine Leading to Heap Corruption
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-21T03:55:40.661Z

Reserved: 2026-05-20T17:39:24.494Z

Link: CVE-2026-9121

cve-icon Vulnrichment

Updated: 2026-05-20T19:34:54.533Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:44.807

Modified: 2026-05-20T20:16:44.807

Link: CVE-2026-9121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:45:40Z

Weaknesses