Skip to main content

Google Chrome CVE-2026-13023

| EUVDEUVD-2026-39038 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-24 Chrome GHSA-682p-m82j-vw29
5.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AV:N and PR:N reflect network-delivered HTML vector with no authentication; AC:H captures mandatory prior renderer compromise; C:H reflects GPU memory read potential; I:N and A:N as read-only information disclosure with no write or denial impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
5.3 HIGH
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:40 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
MEDIUM 5.3

DescriptionCVE.org

Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Uninitialized GPU memory use in Google Chrome prior to 149.0.7827.197 enables a second-stage attacker who has already compromised the renderer process to read sensitive data from GPU process memory via a crafted HTML page. Classified as CWE-457 (Use of Uninitialized Variable), the flaw creates an information disclosure path within Chrome's multi-process architecture. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted HTML page to target user
Exploit
Exploit separate renderer vulnerability to gain renderer process code execution
Execution
Trigger uninitialized GPU memory read via crafted GPU operation
Impact
Extract sensitive process memory contents from GPU buffer

Vulnerability AssessmentAI

Exploitation Exploitation has two mandatory prerequisites: (1) the attacker must have already compromised Chrome's renderer process via a separate vulnerability - this is explicitly stated in the CVE description and is the primary limiting factor; (2) user interaction is required (UI:R in CVSS), meaning a user must load or interact with a crafted HTML page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS scores this 5.3 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate, unspecified Chrome renderer vulnerability to gain code execution within the sandboxed renderer process. The attacker then serves a crafted HTML page that triggers uninitialized reads in the GPU process, causing residual GPU memory - potentially containing data from other browser tabs or system GPU operations - to be returned to the attacker-controlled renderer context. …
Remediation Update Google Chrome to version 149.0.7827.197 or later, as detailed in the Google stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-13023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy