CVE-2026-10008: Chrome Android GPU Memory Disclosure Vulnerability
Google Chrome on Android contains an uninitialized memory flaw in the GPU rendering pipeline that could allow an attacker to extract sensitive data from the browser process. An attacker would craft a malicious HTML page that, when loaded by a user, exploits how the GPU handles uninitialized memory regions—leaking fragments of previously-used data that may contain sensitive information. This is a memory disclosure vulnerability, not a code execution flaw, but information leaks can enable follow-on attacks or expose credentials, tokens, and personal data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10008 is an uninitialized-use vulnerability (CWE-457) in Chrome's GPU graphics subsystem on Android. The flaw stems from the GPU renderer failing to initialize memory before use, creating a window where stale data from prior GPU operations remains accessible to a web page. By crafting HTML that triggers specific GPU operations, an attacker can read uninitialized buffer contents and infer sensitive information about the browser process memory layout and cached data. The vulnerability requires user interaction (the user must visit a malicious page) but no special privileges. The attack surface is high because any HTML page served via http/https can attempt exploitation.
Business impact
Organizations whose users rely on Chrome for Android for business purposes face information disclosure risk. For individuals: credential theft, session hijacking, and exposure of cached sensitive information. For enterprises: compromised browser-based access to email, cloud services, and internal web applications. The non-critical severity rating reflects the need for user interaction, but the attack is passive from the user's perspective—they simply visit a webpage. Android deployments are particularly common in BYOD environments, multiplying the exposure.
Affected systems
Google Chrome on Android versions prior to 148.0.7778.216. Desktop Chrome and other Chromium-based browsers on Android (such as Edge, Samsung Internet if built on affected Chromium base) may have similar exposure depending on their versioning and patch cadence. The vulnerability does not affect Chrome on Windows, macOS, Linux, or iOS based on the published advisory scope.
Exploitability
Exploitability is moderate. An attacker must craft a specific HTML page and socially engineer or advertise it to target users. No special network conditions, advanced browser exploits, or privilege escalation are required. The attack does not crash the browser or leave obvious traces. However, the attacker's ability to reliably extract *specific* sensitive data (e.g., a particular credential) is limited by randomization and the probabilistic nature of uninitialized memory—useful for reconnaissance or side-channel attacks but not guaranteed exploitation of a known target value.
Remediation
Chrome on Android must be updated to version 148.0.7778.216 or later. Users should enable automatic updates in Chrome settings (Menu > Settings > About Chrome). Organizations managing Android devices via Mobile Device Management (MDM) should push the update through their management console. There is no workaround for unpatched devices other than avoiding untrusted websites or disabling JavaScript, both impractical for normal use.
Patch guidance
Apply Chrome update 148.0.7778.216 or any subsequent stable release. Verify the installed version in Settings > About Chrome; the app will automatically check for updates. If automatic updates are disabled, manually open Settings > About Chrome to trigger an immediate check. Organizations using Android Enterprise should confirm that managed devices are configured to receive the latest Chrome version; use the Google Play app version or bundled Chromium, not sideloaded builds. Test updates on a representative device before rolling out org-wide to catch compatibility issues.
Detection guidance
Endpoint Detection and Response (EDR) tools cannot reliably detect exploitation attempts because the attack is carried out within a sandboxed browser process and leaves minimal forensic artifacts. Monitor Chrome update adoption rates via MDM dashboards to ensure timely patching. Log collection from web proxies can identify attempts to visit known malicious campaign sites, though the malicious HTML itself may be hosted legitimately or via compromised servers. Consider blocking or warning on JavaScript-heavy pages from untrusted sources if your organization can tolerate that friction. Memory forensics post-incident might reveal GPU buffer artifacts, but this is not a practical ongoing detection method.
Why prioritize this
CVE-2026-10008 warrants urgent patching (prioritize within 1–2 weeks) despite the CVSS 6.5 medium score, because: (1) it affects a mainstream consumer-facing application with billions of users; (2) the attack requires no special privileges or network conditions; (3) information disclosure can enable credential or session theft; (4) Chrome's update velocity is fast, making the patch deployment straightforward. However, it does not warrant emergency (same-day) patching because exploitation requires user interaction and delivered data is non-deterministic, limiting its appeal for mass attacks or ransomware campaigns.
Risk score, explained
CVSS 6.5 (Medium) reflects: High Confidentiality impact (information disclosure from process memory), No Integrity or Availability impact (read-only), Network-accessible attack vector, Low complexity attack (crafted HTML page), and Required User Interaction (user must visit the malicious page). The score appropriately discounts exploitation likelihood due to the need for social engineering. However, the Chromium security team rated it 'High' severity, which may indicate context-specific concern (e.g., prevalence of Android Chrome in targeted regions, feasibility of reliable data extraction in practice, or downstream attack chains).
Frequently asked questions
Can an attacker steal my password by exploiting this vulnerability?
Not directly and reliably. The vulnerability leaks fragments of uninitialized GPU memory, which *may* contain cached data from the browser process. If a password or session token happens to be in an uninitialized buffer at the moment of exploitation, yes—but an attacker cannot target a specific password. The leaked data is unpredictable. In practice, attackers might use this leak for reconnaissance (learning memory layout, process IDs, system information) to support a more targeted secondary attack.
Do I need to do anything other than update Chrome?
No. Updating Chrome to 148.0.7778.216 or later fully mitigates the vulnerability. There is no configuration change, no cleanup of corrupted state, and no risk of regression. If you use Android Enterprise or an MDM, ensure your device management policy includes Chrome in its scope and is set to deploy the latest version automatically.
Why doesn't this vulnerability show up on CISA's Known Exploited Vulnerabilities list?
CISA's KEV list includes only vulnerabilities confirmed to be exploited in active campaigns in the wild. As of the latest data, this CVE has not been added to that list, which suggests it is not currently being weaponized at scale by threat actors—or that exploitation is not yet widely observed or reported. This does not mean the vulnerability is safe to ignore; it remains exploitable, but the immediate threat is lower than vulnerabilities already in use by attackers.
What should Android Enterprise customers do?
Verify that your Google Play Managed Configuration or bundled Chrome deployment is set to the 'Always update' policy. Check your MDM console for Chrome version distribution across enrolled devices. Confirm that devices are checking in and receiving updates within your organization's policy window (typically weekly). For any manually-sideloaded or alternative Chromium builds, ensure the vendor providing them has also released a patched version and is configured to auto-update.
This analysis is provided for educational and incident response purposes. Patch versions, KEV status, and vendor product information are derived from official CVE, Chromium, and CISA public sources as of the publication date. Security severity assessments may change if new exploitation techniques emerge. Always verify patch availability and compatibility with your specific Chrome build and Android version against the official Google Chrome release notes. This is not legal advice, and organizations should consult their own risk management and compliance frameworks when prioritizing remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10977MEDIUMUninitialized Use in Chrome Skia Renderer—Data Leak Risk
- CVE-2026-10994MEDIUMGoogle Chrome ANGLE Memory Disclosure Vulnerability – Update to 149.0.7827.53
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable
- CVE-2026-10973HIGHChrome Cross-Origin Data Leak via Uninitialized Memory
- CVE-2026-10976HIGHChrome Uninitialized Use Memory Disclosure Vulnerability (CVSS 7.4)
- CVE-2026-26824MEDIUMlibxls Use-of-Uninitialized-Memory Vulnerability
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS