Skip to main content

Google Chrome EUVDEUVD-2026-41177

| CVE-2026-14384 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-01 Chrome GHSA-mfww-59q4-m6q7
6.5
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted page (AV:N), low complexity, no attacker privileges; user must visit page (UI:R); impact is confidentiality-only within browser process (C:H/I:N/A:N/S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 17:25 vuln.today
CVSS changed
Jul 02, 2026 - 17:22 NVD
6.5 (MEDIUM)
CVE Published
Jul 01, 2026 - 22:21 cve.org
MEDIUM 6.5
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Out of bounds read in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page
Delivery
Victim on Windows Chrome visits page
Exploit
Browser invokes ANGLE for graphics rendering
Execution
ANGLE out-of-bounds read triggered in Direct3D path
Impact
Cross-origin memory contents exposed to attacker-controlled script

Vulnerability AssessmentAI

Exploitation Victim must be running Google Chrome on Windows (the ANGLE Direct3D translation path is Windows-specific). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N yields a 6.5 (Medium), reflecting significant confidentiality impact but requiring victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing WebGL or canvas operations specifically designed to trigger an out-of-bounds read in ANGLE's Direct3D translation path on Windows. When a Chrome user on Windows visits the page, ANGLE processes the malicious graphics commands and reads beyond the intended buffer, exposing memory contents from a cross-origin context (such as data from an embedded iframe belonging to a different origin) back to the attacker-controlled page. …
Remediation Upgrade Google Chrome on Windows to version 150.0.7871.46 or later, which contains the vendor-released patch for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-41177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy