Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Cross-origin data leakage in Google Chrome's WebRTC component on Windows exposes limited confidential data to remote attackers via a race condition in all Chrome versions prior to 148.0.7778.216. An unauthenticated remote attacker (PR:N) can exploit this by luring a victim to a crafted HTML page, exploiting a timing window in WebRTC's concurrent execution to read cross-origin data. No public exploit has been identified at time of analysis and EPSS stands at 0.03% (9th percentile), indicating very low real-world exploitation pressure despite Chrome's internal 'High' severity classification.
Technical ContextAI
WebRTC (Web Real-Time Communication) is a built-in browser API enabling peer-to-peer audio, video, and data streaming directly within web pages. The root cause is CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization), a race condition in Chrome's WebRTC implementation on Windows. The flaw arises in a timing-sensitive code path where a security boundary check and subsequent resource access are not atomically protected, allowing an attacker to read cross-origin data during the unsynchronized window between check and use. The CPE string cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* scoped to Windows covers all Chrome versions, with the ENISA EUVD identifier EUVD-2026-33101 corroborating the version range as all releases below 148.0.7778.216. The Chromium issue tracker entry (https://issues.chromium.org/issues/504557432) is the upstream bug report.
RemediationAI
The primary fix is to upgrade Google Chrome on Windows to version 148.0.7778.216 or later, as released in the stable channel update documented at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html. Chrome applies updates automatically for most consumer deployments; enterprise administrators using Chrome Browser Cloud Management or Group Policy should verify that the 148.0.7778.216 build has been fully rolled out across managed Windows endpoints. As a compensating control prior to patching, WebRTC can be disabled organization-wide via the Chrome enterprise policy 'WebRtcAllowed=false' - note this will break browser-based video conferencing (Google Meet, Teams Web, Zoom Web App) and all real-time peer-to-peer communication features, which is a significant operational trade-off. Alternatively, restricting end users from visiting untrusted external sites via web proxy categorization reduces exposure. Given the low CVSS score and near-zero EPSS, emergency out-of-band patching is not warranted for most organizations.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33101
GHSA-fpq5-2g76-9w95