Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
AC:H reflects mandatory renderer pre-compromise; C:H is warranted given arbitrary process memory disclosure; I:N and A:N apply as no write or availability impact exists.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Uninitialized memory exposure in the UI layer of Google Chrome on Android (prior to 150.0.7871.47) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability is CWE-457 (use of uninitialized variable) and is scoped to the Android platform only. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has already achieved code execution within Chrome's renderer process via a separate, independent vulnerability - this is the hard prerequisite embedded in the description ('remote attacker who had compromised the renderer process'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.3 with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N reflects a genuine medium-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first exploits a separate, unpatched renderer RCE vulnerability to gain code execution within Chrome's sandboxed renderer process on an Android device. From that foothold, the attacker serves a crafted HTML page that triggers the uninitialized UI memory read, surfacing sensitive data - such as tokens, cached credentials, or other in-process secrets - from the browser process memory. … |
| Remediation | Update Google Chrome on Android to version 150.0.7871.47 or later via the Google Play Store or the device's standard app update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40657
GHSA-6933-c37p-mprr