Description
Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the GPU handling path of Google Chrome on macOS. A crafted HTML page can trigger a read of arbitrary data from the browser process memory, potentially exposing sensitive information. This flaw falls under CWE‑125 and could allow a remote attacker to obtain confidential data without privileged access.

Affected Systems

Affected are users of Google Chrome on macOS running any version prior to 148.0.7778.179. The issue is present in the stable channel before that build. No other vendor or product versions are impacted.

Risk and Exploitability

Chromium’s internal metrics rate the issue as medium severity, with a CVSS score of 6.5. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by hosting a malicious web page that the victim opens in Chrome, leading to a remote data leak. No specific authentication or elevated privileges are required, and the exploit does not disrupt service availability.

Generated by OpenCVE AI on May 20, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.179 or later.
  • If an immediate upgrade is not possible, temporarily disable hardware acceleration in Chrome’s settings to prevent use of the vulnerable GPU code paths.
  • Keep Chrome updated to the latest stable channel and monitor Google’s release notes for additional security information.

Generated by OpenCVE AI on May 20, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Read in Chrome GPU Enables Remote Data Leak on macOS
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-20T19:33:13.547Z

Reserved: 2026-05-20T17:39:24.883Z

Link: CVE-2026-9122

cve-icon Vulnrichment

Updated: 2026-05-20T19:33:10.113Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:44.987

Modified: 2026-05-20T20:16:44.987

Link: CVE-2026-9122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:45:40Z

Weaknesses