Description
Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the Dawn rendering engine of Google Chrome, identified by CWE‑125. This flaw allows a crafted HTML page to read data across origins, enabling an attacker to leak confidential information from the victim’s browser. The primary impact is a confidentiality breach, as the attacker can reconstruct and exfiltrate data not intended to be exposed.

Affected Systems

Google Chrome for Windows installations running any version prior to 148.0.7778.216 were affected. The issue is limited to the Windows desktop platform and does not impact other operating systems or Chrome builds.

Risk and Exploitability

Chromium rates the issue as Moderate severity with a CVSS score of 6.5, and although no EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog, the potential for cross‑origin data exfiltration is significant. The attack likely requires a remote attacker to host a malicious webpage that a user visits, leveraging the out‑of‑bounds read in Dawn to read memory across origins.

Generated by OpenCVE AI on May 29, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.216 or later on all Windows machines
  • Enable automatic updates so future security patches are applied without manual intervention
  • If immediate update is not possible, limit exposure by restricting access to untrusted sites through content‑security‑style policies or network filtering

Generated by OpenCVE AI on May 29, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Dawn Out‑of‑Bounds Read Allows Cross‑Origin Data Leak chromium-browser: Out of bounds read in Dawn
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Chrome Dawn Out‑of‑Bounds Read Allows Cross‑Origin Data Leak

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:23:38.579Z

Reserved: 2026-05-28T17:24:48.706Z

Link: CVE-2026-9907

cve-icon Vulnrichment

Updated: 2026-05-29T16:23:22.801Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:48.767

Modified: 2026-05-29T18:17:14.010

Link: CVE-2026-9907

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9907 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:15:37Z

Weaknesses