Description
Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uninitialized use in the ANGLE graphics library within Google Chrome. When a renderer process is compromised, an attacker can design a malicious HTML page that causes the renderer to read uninitialized memory, leaking sensitive cross‑origin data. The primary impact is a confidentiality breach, exposing data that should be restricted to the original origin. The weakness is classified as CWE‑457 and also maps to CWE‑824.

Affected Systems

Google Chrome browsers running any version older than 148.0.7778.216 are affected. The vulnerability is present in the ANGLE component used across all standard Chrome builds.

Risk and Exploitability

The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The CVSS score of 3.1 is rated as low severity. Because it requires a compromised renderer process and an actively crafted HTML page, the attack vector is likely limited to attackers who can compromise the renderer or otherwise trick the victim's browser. The absence of a CISA KEV listing indicates no confirmed exploits yet, but the capability for cross‑origin data leakage warrants prompt remediation.

Generated by OpenCVE AI on May 29, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 148.0.7778.216 or newer to address the uninitialized use
  • Ensure Chrome sandboxing is enabled and that the renderer process runs with the least privileges; avoid custom flags that elevate renderer privileges
  • If upgrade is delayed, monitor for suspicious renderer activity, isolate impacted browser sessions, and consider OS‑level restrictions on renderer processes

Generated by OpenCVE AI on May 29, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in ANGLE Allowing Cross‑Origin Data Leakage in Chrome chromium-browser: Uninitialized Use in ANGLE
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in ANGLE Allowing Cross‑Origin Data Leakage in Chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:28:59.812Z

Reserved: 2026-05-28T17:24:57.065Z

Link: CVE-2026-9944

cve-icon Vulnrichment

Updated: 2026-05-29T16:28:56.532Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:52.540

Modified: 2026-05-29T18:17:16.170

Link: CVE-2026-9944

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9944 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses