Skip to main content

Google Chrome CVE-2026-13875

| EUVDEUVD-2026-40561 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-9j9m-3v39-2g9x
5.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network delivery via HTML page; AC:H for mandatory renderer pre-compromise; UI:R for user visit; confidentiality-only impact with no integrity or availability effect.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:24 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.3

DescriptionCVE.org

Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
User visits page in Chrome on Windows
Exploit
Renderer process exploited via separate vulnerability
Execution
Malformed GPU IPC message sent from compromised renderer
Persist
GPU process fails to validate input
Impact
Sensitive process memory read and returned to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires two explicit conditions: (1) the victim must actively visit an attacker-controlled crafted HTML page (UI:R - user interaction is mandatory), AND (2) the attacker must have already achieved renderer process compromise, likely through a separate, chained renderer vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.3 with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first delivers a separate renderer exploit via a crafted HTML page - causing the victim's Chrome renderer process to become attacker-controlled after the user visits the malicious URL. From the compromised renderer, the attacker sends malformed IPC messages to the GPU process that pass insufficient validation, triggering a memory read beyond intended bounds. …
Remediation Upgrade Google Chrome on all Windows systems to version 150.0.7871.47 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy