Skip to main content

Google Chrome CVE-2026-14418

| EUVDEUVD-2026-41190 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-07-01 Chrome GHSA-3wpm-57w7-87qj
4.3
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network delivery via crafted webpage requires no attacker privileges; victim must actively load the page (UI:R); impact is limited to partial confidentiality loss with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 02:25 vuln.today
CVSS changed
Jul 02, 2026 - 02:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jul 01, 2026 - 22:21 cve.org
MEDIUM 4.3
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leakage in Google Chrome's ANGLE graphics subsystem (all versions prior to 150.0.7871.46) enables remote attackers to read sensitive data from other browser origins by luring a victim to a crafted HTML page. The flaw stems from uninitialized memory use in ANGLE, Chrome's GPU abstraction layer, which may expose stale cross-origin pixel buffers or texture memory to attacker-controlled JavaScript. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML with WebGL or canvas content
Delivery
Victim visits crafted page in unpatched Chrome
Exploit
Chrome ANGLE layer processes graphics with uninitialized memory
Execution
Stale cross-origin data exposed in GPU memory buffer
Persist
Attacker JavaScript reads leaked memory contents
Impact
Cross-origin data exfiltrated to attacker-controlled server

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running an unpatched version of Google Chrome prior to 150.0.7871.46 and to actively navigate to or load a crafted HTML page controlled by the attacker (UI:R per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N yields a Medium score of 4.3, accurately reflecting a remotely exploitable but user-interaction-dependent information disclosure with limited scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing malicious WebGL shader or canvas rendering content designed to trigger the uninitialized ANGLE code path, then lures a victim to the page via phishing link or malicious advertisement. When Chrome renders the page, ANGLE reads from an uninitialized memory region containing stale data from a previously loaded cross-origin context, such as pixel buffers from a recently visited banking or email session. …
Remediation Update Google Chrome to version 150.0.7871.46 or later, which is the vendor-released patch for this vulnerability per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy