Description
Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uninitialized variable use within the ANGLE graphics library in Google Chrome. This flaw can allow a remote attacker to leak cross‑origin data by loading a crafted HTML page, enabling the attacker to read information that should have been isolated by the browser's same‑origin policy. The weakness is enumerated as CWE‑457 and CWE‑824.

Affected Systems

Affected products include Google Chrome with versions prior to 148.0.7778.216. The vulnerability exists in the ANGLE component used by Chrome on desktop platforms.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, though Chromium still rates it as High. A remote attacker can exploit it from a malicious web page; no authentication or local access is required. The EPSS score is < 1%, indicating a very low probability of exploitation, and the flaw is not listed in CISA’s KEV catalog, suggesting no public evidence of active exploitation. The provider’s patch is included in Chrome 148.0.7778.216 and later. The attack vector is inferred to be remote via crafted HTML, as the description states that a crafted page can trigger the data leak.

Generated by OpenCVE AI on May 29, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release (148.0.7778.216 or newer), which contains the fix for the uninitialized variable in ANGLE.
  • Verify that all web applications you control enforce the same‑origin policy correctly and avoid exposing sensitive data to cross‑origin contexts.
  • If the update cannot be applied immediately, consider temporarily disabling the ANGLE backend by launching Chrome with the flag --disable-angle, which limits the use of the vulnerable graphics path.

Generated by OpenCVE AI on May 29, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leak via ANGLE Uninitialized Variable chromium-browser: Uninitialized Use in ANGLE
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leak via ANGLE Uninitialized Variable
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:27:56.976Z

Reserved: 2026-05-28T17:24:54.841Z

Link: CVE-2026-9935

cve-icon Vulnrichment

Updated: 2026-05-29T16:27:53.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:51.613

Modified: 2026-05-29T18:26:36.823

Link: CVE-2026-9935

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9935 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses