Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Web-delivered exploit via crafted HTML requires victim navigation (UI:R, PR:N); memory read yields confidentiality loss only, no write or crash capability (I:N, A:N).
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be running a Google Chrome desktop version prior to 150.0.7871.47 and must actively navigate to or be redirected to a crafted HTML page controlled by the attacker (UI:R is confirmed by the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 base score reflects a network-accessible, low-complexity attack requiring only user interaction - no attacker-side privileges needed - with high confidentiality impact but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a website and embeds a crafted HTML page that triggers the inappropriate memory access path in Chrome's Enterprise component. A targeted employee at an organization using managed Chrome is socially engineered - via phishing email or malicious advertisement - into visiting the page, after which the attacker's code reads regions of the Chrome process memory, potentially capturing session tokens, cached credentials, or other sensitive in-memory data. … |
| Remediation | The primary remediation is upgrading Google Chrome to version 150.0.7871.47 or later, as confirmed by the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40514
GHSA-frg2-jw92-vc8v