Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 occurs when an attacker who has already compromised the renderer process exploits an object corruption flaw in the Compositing component. The vulnerability requires user interaction with a malicious HTML page and high attack complexity to leak sensitive cross-origin data. Google has released a patch in Chrome 148.0.7778.168, and with EPSS at 0.03% (10th percentile) and no evidence of active exploitation (SSVC: none), this represents a medium-priority targeted threat rather than widespread exploitation risk.
Technical ContextAI
This vulnerability affects the Compositing component of Google Chrome's rendering engine, which manages how web page layers are combined and displayed. The flaw is categorized as CWE-284 (Improper Access Control), indicating insufficient enforcement of security boundaries between different origins. The Compositing system in Chromium-based browsers handles hardware-accelerated rendering and layer management, and corruption in this component can bypass same-origin policy protections. According to the CPE string cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*, all Chrome versions prior to the patched release are affected. The vulnerability requires a compromised renderer process as a precondition, meaning it serves as a second-stage exploit in a browser escape chain rather than an initial access vector. The improper access control allows memory objects from one origin to be accessed from another origin context, violating fundamental web security principles.
RemediationAI
Update Google Chrome to version 148.0.7778.168 or later immediately through the browser's built-in update mechanism (Settings > About Chrome) or by downloading the latest version from google.com/chrome. Chrome typically auto-updates within 24-48 hours of release, but manual updates ensure immediate protection. Enterprise administrators should deploy the patch through their standard Chrome update channels (Google Update/MSI packages for Windows, PKG for macOS, or package managers for Linux). The official advisory at http://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html confirms patch availability. For organizations unable to patch immediately, implement defense-in-depth controls: enable Site Isolation (chrome://flags/#site-isolation-trial-opt-out set to Default or Enabled) to strengthen origin separation and limit cross-origin data access even if Compositing is compromised; deploy browser isolation technologies (remote browser isolation or virtualized browsing) for high-risk users accessing untrusted content; restrict Chrome usage to trusted sites only until patched using enterprise policies like URLBlocklist/URLAllowlist. Note that Site Isolation increases memory usage by approximately 10-13% and may impact performance on low-resource systems. These mitigations reduce but do not eliminate risk since the vulnerability requires prior renderer compromise, making layered defenses critical.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30457
GHSA-6637-whm9-6p45