Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network delivery via crafted page (AV:N), no attacker auth needed (PR:N), user must visit page (UI:R), and only confidentiality is impacted (C:H) with no integrity or availability effect.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Uninitialized Use in Dawn in Google Chrome on ChromeOS prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Uninitialized memory use in Dawn, Chrome's WebGPU implementation, on ChromeOS prior to version 150.0.7871.46 enables remote attackers to read potentially sensitive contents from GPU process memory by serving a crafted HTML page. The flaw (CWE-457) allows stale or uninitialized buffer data to be exposed back to the requesting JavaScript context without proper sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target device to be running Google Chrome on ChromeOS specifically - Chrome on Windows, macOS, or Linux is not identified as affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N scores 6.5, reflecting a network-reachable, low-complexity attack that requires no attacker authentication and produces High confidentiality impact - a meaningful signal for data exposure risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a webpage containing crafted WebGPU shader or buffer operations designed to trigger uninitialized memory reads within Chrome's Dawn component. A ChromeOS user browses to the page - possibly via a phishing link or malicious advertisement - and the page's JavaScript receives back uninitialized GPU process memory contents, potentially including sensitive data from prior allocations such as session tokens or cryptographic material, which are then exfiltrated to the attacker. … |
| Remediation | Update Google Chrome on ChromeOS to version 150.0.7871.46 or later; this is the vendor-released patch confirmed by the Chrome stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41192
GHSA-rxxj-fpv4-4vvw