Skip to main content

Google Chrome CVE-2026-10941

| EUVDEUVD-2026-34390 HIGH
Out-of-bounds Read (CWE-125)
2026-06-04 chrome-cve-admin@google.com GHSA-qw95-8564-vhvr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 02:45 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 04, 2026 - 23:16 nvd
HIGH 8.8
CVE Published
Jun 04, 2026 - 23:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Out of bounds memory access in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Out-of-bounds memory access in the Skia graphics library shipped with Google Chrome before 149.0.7827.53 allows a remote attacker to execute arbitrary code within Chrome's renderer sandbox when a victim visits a malicious page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Technical ContextAI

Skia is the open-source 2D graphics library used by Chromium (and downstream browsers such as Edge, Brave, Opera, and Electron applications) to rasterize fonts, images, SVG, and Canvas/WebGL surfaces. The root cause maps to CWE-125 (Out-of-bounds Read), meaning Skia reads memory outside the bounds of an allocated buffer while processing attacker-controlled graphical content parsed from an HTML page. Out-of-bounds reads in a JIT-adjacent rendering engine can leak memory contents useful for ASLR bypass and, when chained with the right primitives, can be escalated to type confusion or arbitrary code execution inside the renderer process, as the advisory text explicitly states code execution is achievable inside the sandbox.

RemediationAI

Vendor-released patch: Chrome 149.0.7827.53 - update Chrome to 149.0.7827.53 or later via the built-in updater (chrome://settings/help) or by redeploying the MSI/PKG from enterprise channels, per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the upstream tracker at https://issues.chromium.org/issues/503958940. Downstream Chromium-based browsers and Electron apps should be updated as soon as their vendors ship a rebase onto the fixed Skia revision. As an interim compensating control where patching is delayed, restrict browsing to trusted sites via enterprise URL allow-listing, enable Enhanced Safe Browsing in Chrome, and consider Site Isolation strict mode (already default) to keep cross-origin content in separate renderers; disabling JavaScript globally would mitigate most exploitation paths but breaks the modern web and is rarely tenable outside high-assurance kiosks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-10941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy