Skip to main content

Google Chrome CVE-2026-14010

| EUVDEUVD-2026-40698 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-30 chrome-cve-admin@google.com GHSA-m6w7-672m-rg27
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via HTML page (AV:N), no special conditions (AC:L), no authentication needed (PR:N), victim must visit attacker page (UI:R), information disclosure only with no integrity or availability impact (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:36 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML with malicious codec payload
Delivery
Victim navigates to attacker page in Chrome on Windows
Exploit
Chrome codec subsystem processes media content
Execution
Uninitialized memory read triggered in codec path
Persist
Renderer process memory contents returned to attacker
Impact
Sensitive data (tokens, credentials) extracted from memory leak

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target must be running Google Chrome on Windows - the vulnerability is platform-specific and does not affect Chrome on macOS or Linux; (2) the victim must actively navigate to or be redirected to an attacker-controlled HTML page containing the crafted codec content (CVSS UI:R - passive exploitation without user interaction is not indicated); (3) no authentication to Chrome or any service is required (CVSS PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) accurately reflects a meaningful but bounded risk: confidentiality impact is High (arbitrary process memory readable), but integrity and availability are unaffected, and exploitation requires user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web page containing a crafted media resource - such as a specially constructed audio or video stream - that triggers the uninitialized codec code path in Chrome on Windows. When a Windows user visits this page, Chrome's codec component reads from uninitialized memory and the attacker receives fragments of renderer process memory in the response, potentially containing session tokens, cached credentials, or other sensitive data recently processed within the same process. …
Remediation The primary remediation is to update Google Chrome on Windows to version 150.0.7871.47 or later, confirmed available via the vendor's stable channel release at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy