Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Technical ContextAI
The vulnerability resides in Chrome's GPU process, which handles hardware-accelerated rendering for WebGL, Canvas, and compositing operations. CWE-125 (Out-of-bounds Read) indicates that the GPU component reads memory outside the bounds of an allocated buffer, which in browser GPU code typically arises from malformed shader inputs, texture parameters, or command buffer entries. While an OOB read alone leaks memory, Chrome's advisory explicitly notes the bug 'allowed a remote attacker to potentially exploit heap corruption,' implying the OOB condition can be chained into heap layout manipulation. The affected CPE (cpe:2.3:a:google:chrome) covers Chrome across platforms; the GPU process is sandboxed but compromise here is a known stepping stone toward full sandbox escape in chained Chrome exploits.
RemediationAI
Vendor-released patch: Chrome 148.0.7778.179 or later, distributed via the stable channel update documented at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html and tracked in https://issues.chromium.org/issues/488064108. Users should ensure Chrome auto-update is enabled and restart the browser to apply; enterprise administrators should push the updated MSI/PKG via management tooling. As an interim compensating control, GPU acceleration can be disabled via chrome://settings ('Use hardware acceleration when available' off) or the --disable-gpu flag, which removes the vulnerable attack surface at the cost of degraded rendering performance and broken WebGL/Canvas-heavy sites. Chromium derivatives (Edge, Brave, Opera) should be updated to versions that incorporate the upstream fix once published by those vendors.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31171
GHSA-mhhc-85f5-7chm