Skip to main content

Google Chrome CVE-2026-13858

| EUVDEUVD-2026-40544 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-30 chrome-cve-admin@google.com GHSA-cqw3-g77v-4rgh
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted video requiring active user interaction (UI:R); no attacker privileges needed; C:H reflects renderer memory exposure; I:N and A:N as the flaw is read-only and no crash is described.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 04:31 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Out of bounds read in FFmpeg in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted video file. (Chromium security severity: Medium)

AnalysisAI

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious video file
Delivery
Hosts file on attacker-controlled web page
Exploit
Victim navigates to page in unpatched Chrome
Execution
FFmpeg decoder parses crafted video
Persist
Out-of-bounds read triggered in codec parser
Impact
Renderer process memory contents leaked to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target user take an active step to process a crafted video - either by navigating to an attacker-controlled web page embedding the malicious video (including autoplay scenarios if autoplay is permitted) or by manually opening a downloaded video file in Chrome. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) reflects genuine but bounded risk: network-reachable (AV:N), low complexity (AC:L), unauthenticated (PR:N), but gated by mandatory user interaction (UI:R) and limited to confidentiality (C:H, I:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious video file exploiting the FFmpeg boundary-check flaw and embeds it in a web page or sends it as a download link; when the victim opens the page or file in an unpatched Chrome instance and the video is decoded, the out-of-bounds read returns contents of adjacent renderer process memory - potentially including authentication tokens, page DOM data, or cached credentials - to the attacker. No public POC exists at time of analysis, but the attack vector (network-delivered media triggering a memory-safety bug in a codec parser) follows a well-understood exploitation pattern requiring only that the user visit the attacker's page.
Remediation The primary remediation is to upgrade Google Chrome to version 150.0.7871.47 or later, as confirmed by the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html; this is a vendor-released patch and represents the complete fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy