Monthly
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables remote attackers to exfiltrate cross-origin data by luring victims to a crafted HTML page. The CVSS vector rates confidentiality impact as High (C:H) with network access and no authentication required from the attacker, though user interaction is necessary. Despite the NVD Medium score of 6.5, Google's internal Chromium severity rating is Low, EPSS sits at just 0.17% (7th percentile), there is no KEV listing, and no public exploit has been identified at time of analysis - signals that collectively indicate limited real-world exploitability.
Side-channel information leakage in the WebAuthentication component of Google Chrome on iOS (prior to 150.0.7871.47) exposes cross-origin data to remote attackers via a crafted HTML page, requiring only that a victim visit attacker-controlled content. The CVSS Confidentiality:High rating reflects the category of cross-origin data exposure, while Chromium's own internal severity classification of Low and an EPSS score of 0.21% (11th percentile) both signal that practical exploitation is considered unlikely at scale. No public exploit is identified at time of analysis and no CISA KEV listing exists.
Side-channel information leakage via the WebAudio API in Google Chrome prior to 150.0.7871.47 enables a remote attacker to extract cross-origin data from a victim's browser session through a crafted HTML page. The vulnerability abuses WebAudio's timing or spectral measurement capabilities to infer data that should be isolated by the Same-Origin Policy, exposing potentially sensitive cross-origin resources. No active exploitation has been confirmed (absent from CISA KEV), and the EPSS score of 0.17% at the 7th percentile reflects very low current exploitation probability; Chromium's own team rated the severity as Low despite the NVD's Medium (6.5) CVSS assignment.
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables a remote attacker to read potentially sensitive data from the browser's process memory by inducing a victim to visit a specially crafted HTML page. The vulnerability is classified under CWE-1300 (Improper Protection of Physical Side Channels), indicating that observable rendering or timing behavior in Chrome's CSS engine can be exploited to infer in-memory state. No public exploit identified at time of analysis; however, the CVSS-assessed confidentiality impact is rated High, and Google has released a fix in Chrome stable channel version 150.0.7871.47.
Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Side-channel cross-origin data leakage in Google Chrome's Paint rendering component (all versions prior to 150.0.7871.47) allows remote attackers to infer sensitive content belonging to other origins by enticing a victim to visit a crafted HTML page. The vulnerability exploits a weakness in the Paint subsystem's rendering pipeline (CWE-1300: Improper Protection of Physical Side Channels), enabling an attacker page to observe rendering state or timing variations and reconstruct protected cross-origin data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; EPSS probability is low at 0.21% (11th percentile). Vendor-released patch is available in Chrome 150.0.7871.47.
Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables remote attackers to exfiltrate cross-origin data by luring victims to a crafted HTML page. The CVSS vector rates confidentiality impact as High (C:H) with network access and no authentication required from the attacker, though user interaction is necessary. Despite the NVD Medium score of 6.5, Google's internal Chromium severity rating is Low, EPSS sits at just 0.17% (7th percentile), there is no KEV listing, and no public exploit has been identified at time of analysis - signals that collectively indicate limited real-world exploitability.
Side-channel information leakage in the WebAuthentication component of Google Chrome on iOS (prior to 150.0.7871.47) exposes cross-origin data to remote attackers via a crafted HTML page, requiring only that a victim visit attacker-controlled content. The CVSS Confidentiality:High rating reflects the category of cross-origin data exposure, while Chromium's own internal severity classification of Low and an EPSS score of 0.21% (11th percentile) both signal that practical exploitation is considered unlikely at scale. No public exploit is identified at time of analysis and no CISA KEV listing exists.
Side-channel information leakage via the WebAudio API in Google Chrome prior to 150.0.7871.47 enables a remote attacker to extract cross-origin data from a victim's browser session through a crafted HTML page. The vulnerability abuses WebAudio's timing or spectral measurement capabilities to infer data that should be isolated by the Same-Origin Policy, exposing potentially sensitive cross-origin resources. No active exploitation has been confirmed (absent from CISA KEV), and the EPSS score of 0.17% at the 7th percentile reflects very low current exploitation probability; Chromium's own team rated the severity as Low despite the NVD's Medium (6.5) CVSS assignment.
CSS side-channel information leakage in Google Chrome prior to 150.0.7871.47 enables a remote attacker to read potentially sensitive data from the browser's process memory by inducing a victim to visit a specially crafted HTML page. The vulnerability is classified under CWE-1300 (Improper Protection of Physical Side Channels), indicating that observable rendering or timing behavior in Chrome's CSS engine can be exploited to infer in-memory state. No public exploit identified at time of analysis; however, the CVSS-assessed confidentiality impact is rated High, and Google has released a fix in Chrome stable channel version 150.0.7871.47.
Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Side-channel cross-origin data leakage in Google Chrome's Paint rendering component (all versions prior to 150.0.7871.47) allows remote attackers to infer sensitive content belonging to other origins by enticing a victim to visit a crafted HTML page. The vulnerability exploits a weakness in the Paint subsystem's rendering pipeline (CWE-1300: Improper Protection of Physical Side Channels), enabling an attacker page to observe rendering state or timing variations and reconstruct protected cross-origin data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; EPSS probability is low at 0.21% (11th percentile). Vendor-released patch is available in Chrome 150.0.7871.47.
Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.