Skip to main content

Google Chrome CVE-2026-13923

| EUVDEUVD-2026-40609 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-30 chrome-cve-admin@google.com GHSA-4w24-9gxj-7vcf
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Delivered via crafted web page over network (AV:N/AC:L/PR:N), requires user to visit the page (UI:R), impacts only confidentiality with no integrity or availability effect (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:28 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Uninitialized Use in GPU in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Uninitialized GPU memory use in Google Chrome on Android prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from process memory by luring a user to a crafted HTML page. The flaw (CWE-457) is confined to the Android GPU code path and requires only user interaction to trigger, with CVSS confirming unauthenticated network delivery and High confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML page targeting Chrome Android GPU
Delivery
Distributes link via phishing or malvertising
Exploit
Victim visits page in unpatched Chrome on Android
Execution
GPU process reads uninitialized memory during rendering
Impact
Residual process memory contents exposed to attacker-controlled page

Vulnerability AssessmentAI

Exploitation Exploitation is limited to users running Google Chrome on Android at versions below 150.0.7871.47; desktop Chrome on Windows, macOS, or Linux is not affected by this GPU code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N rates this 6.5 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page designed to trigger uninitialized memory reads in Chrome's Android GPU process, then distributes the URL via phishing email or malvertising. When a victim on an unpatched Android device visits the page in Chrome, the GPU process reads uninitialized memory and the stale contents - potentially session tokens, credentials, or other in-process data - are exposed to the attacker-controlled page context. …
Remediation Vendor-released patch: 150.0.7871.47. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy