Skip to main content

Chrome Android EUVDEUVD-2026-40657

| CVE-2026-13969 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-30 chrome-cve-admin@google.com GHSA-6933-c37p-mprr
5.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

AC:H reflects mandatory renderer pre-compromise; C:H is warranted given arbitrary process memory disclosure; I:N and A:N apply as no write or availability impact exists.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:32 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.3
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Uninitialized memory exposure in the UI layer of Google Chrome on Android (prior to 150.0.7871.47) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability is CWE-457 (use of uninitialized variable) and is scoped to the Android platform only. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver renderer RCE exploit via crafted page
Delivery
Compromise Chrome renderer sandbox
Exploit
Craft malicious HTML to trigger UI uninitialized read
Execution
Read sensitive browser process memory
Impact
Exfiltrate captured data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has already achieved code execution within Chrome's renderer process via a separate, independent vulnerability - this is the hard prerequisite embedded in the description ('remote attacker who had compromised the renderer process'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.3 with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N reflects a genuine medium-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate, unpatched renderer RCE vulnerability to gain code execution within Chrome's sandboxed renderer process on an Android device. From that foothold, the attacker serves a crafted HTML page that triggers the uninitialized UI memory read, surfacing sensitive data - such as tokens, cached credentials, or other in-process secrets - from the browser process memory. …
Remediation Update Google Chrome on Android to version 150.0.7871.47 or later via the Google Play Store or the device's standard app update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy