Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Out of bounds memory access in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Out-of-bounds memory access in the Skia graphics library shipped with Google Chrome before 149.0.7827.53 allows a remote attacker to execute arbitrary code within Chrome's renderer sandbox when a victim visits a malicious page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Technical ContextAI
Skia is the open-source 2D graphics library used by Chromium (and downstream browsers such as Edge, Brave, Opera, and Electron applications) to rasterize fonts, images, SVG, and Canvas/WebGL surfaces. The root cause maps to CWE-125 (Out-of-bounds Read), meaning Skia reads memory outside the bounds of an allocated buffer while processing attacker-controlled graphical content parsed from an HTML page. Out-of-bounds reads in a JIT-adjacent rendering engine can leak memory contents useful for ASLR bypass and, when chained with the right primitives, can be escalated to type confusion or arbitrary code execution inside the renderer process, as the advisory text explicitly states code execution is achievable inside the sandbox.
RemediationAI
Vendor-released patch: Chrome 149.0.7827.53 - update Chrome to 149.0.7827.53 or later via the built-in updater (chrome://settings/help) or by redeploying the MSI/PKG from enterprise channels, per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and the upstream tracker at https://issues.chromium.org/issues/503958940. Downstream Chromium-based browsers and Electron apps should be updated as soon as their vendors ship a rebase onto the fixed Skia revision. As an interim compensating control where patching is delayed, restrict browsing to trusted sites via enterprise URL allow-listing, enable Enhanced Safe Browsing in Chrome, and consider Site Isolation strict mode (already default) to keep cross-origin content in separate renderers; disabling JavaScript globally would mitigate most exploitation paths but breaks the modern web and is rarely tenable outside high-assurance kiosks.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34390
GHSA-qw95-8564-vhvr