Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Crafted HTML page delivers exploit over network with no auth; user must visit page (UI:R); impact is confidentiality-only memory leak, no integrity or availability effect.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Uninitialized memory use in Chrome's ANGLE graphics layer exposes potentially sensitive process memory contents to remote attackers across all desktop Chrome versions prior to 150.0.7871.115. The flaw is triggered by a crafted HTML page requiring user interaction, limiting automated mass exploitation - consistent with SSVC classifying it as non-automatable with partial technical impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | A victim must actively navigate to or be redirected to an attacker-controlled HTML page using Chrome prior to 150.0.7871.115 on a desktop platform - the CVSS UI:R metric confirms this as a hard requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 6.5 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) accurately characterizes this as a network-reachable, low-complexity information disclosure requiring one click from the victim. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page containing specially constructed WebGL or graphics API calls designed to trigger the uninitialized memory read in ANGLE's rendering pipeline. The victim is lured to this page via phishing or a malicious advertisement, and upon rendering the page in an unpatched Chrome browser, attacker-controlled JavaScript receives or infers the leaked memory bytes - potentially recovering fragments of sensitive content from the browser process heap such as cached credentials or cross-origin data. … |
| Remediation | Upgrade Google Chrome to version 150.0.7871.115 or later - this is the vendor-confirmed fixed release per the stable channel advisory at http://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42481
GHSA-qj6x-x634-3rc3