By weakness (CWE)

CWE-457: related vulnerabilities

CVEs classified under CWE-457. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

8 published vulnerabilities

  • CVE-2026-10960HIGH 8.3

    CVE-2026-10960 is a sandbox escape vulnerability in Google Chrome's video codec handling. An attacker who has already compromised Chrome's renderer process—the sandboxed component responsible for processing web content—can exploit an uninitialized variable in the codec logic to break out of the sandbox and gain full system access. The attack requires a crafted HTML page and user interaction, but once the renderer is compromised, the attacker can leverage this flaw to escalate to native code execution outside Chrome's security boundary.

  • CVE-2026-10973HIGH 7.4

    A flaw in Google Chrome's Dawn graphics component allowed attackers to extract sensitive data across website boundaries through a specially crafted web page. The vulnerability required user interaction (clicking or visiting a malicious page) but did not require any special privileges. An attacker could craft HTML that exploits uninitialized memory in Chrome's graphics processing to read data from other origins that should have been isolated, potentially exposing authentication tokens, personal information, or other sensitive content loaded in the same browser session.

  • CVE-2026-10976HIGH 7.4

    A memory disclosure vulnerability exists in Google Chrome's graphics engine (Dawn) that could allow an attacker to read sensitive data from Chrome's process memory. The flaw stems from uninitialized variables being used without proper initialization checks. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. The issue affects Chrome versions before 149.0.7827.53.

  • CVE-2026-10008MEDIUM 6.5

    Google Chrome on Android contains an uninitialized memory flaw in the GPU rendering pipeline that could allow an attacker to extract sensitive data from the browser process. An attacker would craft a malicious HTML page that, when loaded by a user, exploits how the GPU handles uninitialized memory regions—leaking fragments of previously-used data that may contain sensitive information. This is a memory disclosure vulnerability, not a code execution flaw, but information leaks can enable follow-on attacks or expose credentials, tokens, and personal data.

  • CVE-2026-10977MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in Skia (Chrome's graphics rendering engine) that could allow an attacker who has already compromised your browser's renderer process to steal data from websites you visit. The attacker would need to trick you into viewing a specially crafted webpage. This is a real but narrowly scoped risk—it requires the renderer to already be under attacker control, limiting the immediate threat from casual browsing.

  • CVE-2026-10994MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the ANGLE graphics library that can leak sensitive data from your browser's memory. An attacker can craft a malicious webpage that, when you visit it, reads uninitialized memory and potentially extracts information like passwords, tokens, or other private data. The vulnerability requires user interaction (clicking or viewing the page) but does not require special browser permissions.

  • CVE-2026-11033MEDIUM 6.5

    A memory initialization flaw in Chrome's WebML component on macOS allows attackers to steal sensitive data. When a user visits a malicious webpage, the browser may leak uninitialized memory contents—potentially exposing passwords, tokens, or other private information—without requiring any special user interaction beyond loading the page. The issue affects Chrome versions before 149.0.7827.53 on Apple's macOS.

  • CVE-2026-26824MEDIUM 6.5

    libxls, a widely-used library for reading Microsoft Excel files, has a memory safety issue that could allow an attacker to crash applications or potentially leak sensitive information. The vulnerability exists in how the library initializes internal data structures when parsing Excel file containers. An attacker who crafts a malicious Excel file and tricks a user or application into opening it could trigger the vulnerability. This is a moderate-severity issue affecting the library through version 1.6.3.