EUVD-2026-17783
GHSA-hx6g-3vm9-fm5c
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must open a crafted HTML page in Google Chrome prior to version 146.0.7680.178. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Without a published CVSS vector or EPSS score, risk assessment relies on available signals: (1) Attack vector is NETWORK (malicious HTML page delivery), (2) the Chromium team assigned HIGH severity rather than CRITICAL, suggesting likely user interaction or environment-specific conditions, (3) no CISA KEV listing or public exploit code identified, indicating no confirmed active exploitation in the wild, (4) patch is available from vendor, reducing window of exposure for updated users. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious HTML page containing specially crafted codec data or a webpage that triggers integer overflow within Chrome's codec parser. When a victim visits the page (via phishing link, watering-hole attack, or malicious ad redirect), the integer overflow is triggered during codec processing, corrupting heap memory and enabling arbitrary read/write or code execution within the Chrome process. … |
| Remediation | Users should immediately update Google Chrome to version 146.0.7680.178 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain poten
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbi
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cro
Vendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 120.0.6099.224-1~deb11u1 | - |
| bookworm | vulnerable | 143.0.7499.169-1~deb12u1 | - |
| bookworm (security) | vulnerable | 146.0.7680.164-1~deb12u1 | - |
| trixie | vulnerable | 145.0.7632.159-1~deb13u1 | - |
| trixie (security) | vulnerable | 146.0.7680.164-1~deb13u1 | - |
| forky | vulnerable | 146.0.7680.153-1 | - |
| sid | fixed | 146.0.7680.177-1 | - |
| bullseye | fixed | (unfixed) | end-of-life |
| (unstable) | fixed | 146.0.7680.177-1 | - |
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today