Skip to main content

Google Chrome EUVDEUVD-2026-41192

| CVE-2026-14421 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-07-01 Chrome GHSA-rxxj-fpv4-4vvw
6.5
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network delivery via crafted page (AV:N), no attacker auth needed (PR:N), user must visit page (UI:R), and only confidentiality is impacted (C:H) with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 02:25 vuln.today
CVSS changed
Jul 02, 2026 - 02:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jul 01, 2026 - 22:21 cve.org
MEDIUM 6.5
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Uninitialized Use in Dawn in Google Chrome on ChromeOS prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Uninitialized memory use in Dawn, Chrome's WebGPU implementation, on ChromeOS prior to version 150.0.7871.46 enables remote attackers to read potentially sensitive contents from GPU process memory by serving a crafted HTML page. The flaw (CWE-457) allows stale or uninitialized buffer data to be exposed back to the requesting JavaScript context without proper sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted WebGPU HTML page
Delivery
Victim on ChromeOS navigates to page
Exploit
Browser passes malicious GPU operations to Dawn
Execution
Dawn reads uninitialized memory buffer
Persist
Stale process memory returned to JavaScript context
Impact
Attacker exfiltrates leaked sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires the target device to be running Google Chrome on ChromeOS specifically - Chrome on Windows, macOS, or Linux is not identified as affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N scores 6.5, reflecting a network-reachable, low-complexity attack that requires no attacker authentication and produces High confidentiality impact - a meaningful signal for data exposure risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a webpage containing crafted WebGPU shader or buffer operations designed to trigger uninitialized memory reads within Chrome's Dawn component. A ChromeOS user browses to the page - possibly via a phishing link or malicious advertisement - and the page's JavaScript receives back uninitialized GPU process memory contents, potentially including sensitive data from prior allocations such as session tokens or cryptographic material, which are then exfiltrated to the attacker. …
Remediation Update Google Chrome on ChromeOS to version 150.0.7871.46 or later; this is the vendor-released patch confirmed by the Chrome stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-41192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy