Skip to main content

Google Chrome CVE-2026-13833

| EUVDEUVD-2026-40519 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-30 chrome-cve-admin@google.com GHSA-fmjf-m6r6-43rw
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted page (AV:N), no privilege needed (PR:N), user must visit the page (UI:R), confidentiality-only impact from cross-origin memory read (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:28 vuln.today
CVSS changed
Jul 01, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:16 cve.org
MEDIUM 6.5

DescriptionCVE.org

Uninitialized Use in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leakage in Google Chrome's ANGLE graphics library on macOS allows a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. Affected are all Chrome versions on Mac prior to 150.0.7871.47. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted WebGL HTML page
Delivery
Victim lured to page via phishing or ad
Exploit
Chrome on Mac triggers ANGLE uninitialized memory read
Execution
Residual cross-origin data exposed to JavaScript
Impact
Attacker script reads and exfiltrates leaked data

Vulnerability AssessmentAI

Exploitation The victim must be running Google Chrome on macOS (the flaw is specific to Chrome's ANGLE Metal path on Mac; Windows and Linux Chrome are not affected). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects a remotely triggerable, unauthenticated, low-complexity flaw whose primary constraint is user interaction - the victim must navigate to or be redirected to a crafted HTML page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing malicious WebGL or Canvas operations designed to trigger the uninitialized memory read in Chrome's ANGLE Metal backend. A macOS user running a vulnerable Chrome version visits the page - via phishing link, malicious ad, or compromised website - causing ANGLE to return residual graphics memory to the JavaScript context. …
Remediation Update Google Chrome on macOS to version 150.0.7871.47 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy