Skip to main content

Google Chrome EUVDEUVD-2026-40750

| CVE-2026-14063 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-30 chrome-cve-admin@google.com GHSA-jhm7-5pwp-pw2x
5.7
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.7 MEDIUM
AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.7 MEDIUM

Attack is delivered via network traffic to a local-network Chromecast component, making AV:A more accurate than AV:L; no privileges required; user interaction needed; confidentiality-only impact.

3.1 AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
CVSS changed
Jul 01, 2026 - 15:22 NVD
5.5 (MEDIUM) 5.7 (MEDIUM)
Analysis Generated
Jul 01, 2026 - 02:40 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.5

DescriptionCVE.org

Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)

AnalysisAI

Out-of-bounds read in Chrome's Chromecast component allows a local attacker to leak sensitive contents from the browser's process memory by delivering malicious network traffic to the affected subsystem. Affected versions are all Chrome releases prior to 150.0.7871.47 on desktop platforms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local network adjacency
Delivery
Craft malicious Chromecast protocol packets
Exploit
Victim Chrome processes Cast network traffic
Execution
Out-of-bounds read triggered in Chromecast component
Impact
Sensitive process memory bytes leaked to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker be positioned on the same local network as the victim to deliver malicious Chromecast protocol traffic; (2) the victim's Chrome browser must be processing Chromecast-related network activity at the time of the attack - either actively using the Cast feature or with the Cast component initialized; and (3) some degree of user interaction (UI:R per CVSS vector) is required, though the exact interaction is not specified in available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.5 with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N presents a notable tension: the attack vector is Local (AV:L), yet the mechanism is explicitly described as 'malicious network traffic,' which is more consistent with an Adjacent (AV:A) vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same local network as the victim crafts malicious Chromecast protocol messages - such as spoofed Cast receiver responses or manipulated streaming negotiation packets - and transmits them to the target system running a vulnerable Chrome version. When the victim's Chrome browser processes these packets via its Chromecast component (for example, while browsing a Cast-enabled site or with the Cast toolbar active), the out-of-bounds read is triggered, potentially exposing fragments of Chrome's process memory to the attacker. …
Remediation The primary fix is upgrading Google Chrome to version 150.0.7871.47 or later, which resolves this vulnerability per the vendor's stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy