Skip to main content

Google Chrome EUVDEUVD-2026-42481

| CVE-2026-15109 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-07-08 chrome-cve-admin@google.com GHSA-qj6x-x634-3rc3
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Crafted HTML page delivers exploit over network with no auth; user must visit page (UI:R); impact is confidentiality-only memory leak, no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 15:23 vuln.today
CVSS changed
Jul 09, 2026 - 15:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jul 08, 2026 - 23:16 cve.org
MEDIUM 6.5
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Uninitialized memory use in Chrome's ANGLE graphics layer exposes potentially sensitive process memory contents to remote attackers across all desktop Chrome versions prior to 150.0.7871.115. The flaw is triggered by a crafted HTML page requiring user interaction, limiting automated mass exploitation - consistent with SSVC classifying it as non-automatable with partial technical impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to attacker-controlled HTML page
Delivery
Page triggers crafted WebGL or graphics operations in Chrome
Exploit
ANGLE reads uninitialized process memory during rendering
Execution
Leaked memory bytes surfaced to attacker-controlled JavaScript
Impact
Attacker exfiltrates sensitive memory fragments

Vulnerability AssessmentAI

Exploitation A victim must actively navigate to or be redirected to an attacker-controlled HTML page using Chrome prior to 150.0.7871.115 on a desktop platform - the CVSS UI:R metric confirms this as a hard requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 6.5 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) accurately characterizes this as a network-reachable, low-complexity information disclosure requiring one click from the victim. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page containing specially constructed WebGL or graphics API calls designed to trigger the uninitialized memory read in ANGLE's rendering pipeline. The victim is lured to this page via phishing or a malicious advertisement, and upon rendering the page in an unpatched Chrome browser, attacker-controlled JavaScript receives or infers the leaked memory bytes - potentially recovering fragments of sensitive content from the browser process heap such as cached credentials or cross-origin data. …
Remediation Upgrade Google Chrome to version 150.0.7871.115 or later - this is the vendor-confirmed fixed release per the stable channel advisory at http://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy