Description
Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the media component of Google Chrome on ChromeOS allowed an attacker who had previously compromised the renderer process to read arbitrary data from process memory through a specially crafted HTML page. The root cause is insufficient validation of untrusted input, which is a classic input validation weakness (CWE-20). As a result, an attacker could obtain potentially sensitive information, exposing data confidentiality without impacting availability or integrity of the system directly.

Affected Systems

The vulnerability applies to Google Chrome running on ChromeOS. All versions prior to 148.0.7778.216 are impacted; newer releases include the fix.

Risk and Exploitability

The issue carries a moderate severity rating with a CVSS score of 5.3. EPSS indicates a lower exploitation probability (<1%) and it is not listed in the CISA KEV catalog. The likely attack scenario requires an attacker to first gain code execution or elevate privileges within the renderer process, after which a malicious webpage can trigger the memory disclosure. Because the vulnerability arises from unvalidated input, exploitation does not involve arbitrary code execution but still enables sensitive data leakage.

Generated by OpenCVE AI on May 29, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to the latest stable release on all ChromeOS devices to apply the media validation fix.
  • If an immediate update is not possible, configure Chrome to block or disable media content via policy or use extensions that restrict media loading until the fix is applied.
  • Enforce strict sandboxing of the renderer process on ChromeOS and monitor for abnormal memory access attempts, ensuring that compromised process isolation is maintained.

Generated by OpenCVE AI on May 29, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Media Enables Memory Disclosure via Crafted HTML chromium-browser: Insufficient validation of untrusted input in Media
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Media Enables Memory Disclosure via Crafted HTML

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:32:00.959Z

Reserved: 2026-05-28T17:25:07.887Z

Link: CVE-2026-9985

cve-icon Vulnrichment

Updated: 2026-05-29T16:31:57.437Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:56.740

Modified: 2026-05-29T18:17:17.580

Link: CVE-2026-9985

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9985 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses