HIGH 7.4

CVE-2026-10973: Chrome Cross-Origin Data Leak via Uninitialized Memory

A flaw in Google Chrome's Dawn graphics component allowed attackers to extract sensitive data across website boundaries through a specially crafted web page. The vulnerability required user interaction (clicking or visiting a malicious page) but did not require any special privileges. An attacker could craft HTML that exploits uninitialized memory in Chrome's graphics processing to read data from other origins that should have been isolated, potentially exposing authentication tokens, personal information, or other sensitive content loaded in the same browser session.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10973 is an uninitialized use vulnerability (CWE-457) in Dawn, Google Chrome's graphics abstraction layer. The flaw stems from improper initialization of memory structures, allowing a remote attacker to leak cross-origin data via a crafted HTML page. The attack surface is the renderer process; exploitation requires network access and user interaction (UI redirect). The vulnerability affects Chrome versions prior to 149.0.7827.53. Chromium assessed this as High severity due to the confidentiality impact and relatively low barrier to exploitation.

Business impact

Organizations where employees use Chrome as their primary browser face a concrete risk of data exfiltration. An attacker could target users at financial institutions, SaaS platforms, or internal web applications to harvest session tokens, personal identifiable information, or confidential business data. The cross-origin nature of the leak means a compromised website or ad network could siphon data from legitimate sites the user visits in the same browsing session. For enterprises managing sensitive workflows in web applications, this vulnerability elevates the risk profile of user browsers as an attack vector.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected. Chromium-based browsers that incorporate the same version of Dawn may also be vulnerable, though specific vendors and patch timelines vary. Check your organization's browser inventory and vendor advisory pages for derived browsers (Edge, Brave, Vivaldi, etc.). Desktop and mobile versions should be assessed.

Exploitability

Exploitation requires a remote attacker to craft malicious HTML and convince or redirect a user to visit it. The attack surface is limited to active browsing sessions. No authentication, elevated privileges, or complex interactions beyond standard web page rendering are needed. The complexity is low once the HTML is crafted. However, successful attacks depend on user click-through or redirect mechanisms, which somewhat constrains real-world frequency. The vulnerability does not appear on CISA's KEV catalog as of publication, suggesting limited evidence of active exploitation in the wild at the time of disclosure.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. For enterprises, configure managed Chrome deployments to auto-update, or enforce mandatory updates through Group Policy (Windows), Configuration Profiles (macOS), or mobile device management platforms. Verify that derived Chromium browsers (Microsoft Edge, etc.) are also updated via their respective channels. Until patched, advise users to avoid visiting untrusted websites and to isolate sensitive web sessions in separate browser profiles or instances.

Patch guidance

Google Chrome 149.0.7827.53 contains the fix. Users can check their current version at chrome://version and force an update via the three-dot menu → Help → About Google Chrome. Enterprise deployments should test the patch in a staging environment before rolling out; no breaking changes are expected. Verify patch deployment against your browser management console or MDM platform. Third-party Chromium forks should check their vendor advisory; patch availability may lag Chrome's release. Mobile Chrome (Android and iOS) should also be updated through the Google Play Store or App Store respectively.

Detection guidance

Monitor for Chrome version compliance in your fleet using mobile device management, endpoint detection and response, or browser telemetry tools. Log and alert on any high-volume access to sensitive web applications from Chrome instances running version < 149.0.7827.53. Network detection is limited since the attack is rendered-side; focus on endpoint inventory and version audits. Correlate successful data exfiltration indicators (unexpected API calls, token theft, cross-origin requests in browser logs) with the presence of older Chrome versions on affected systems. Consider network segmentation to limit cross-origin data sharing at the proxy layer as a compensating control.

Why prioritize this

A CVSS 7.4 (High) score with cross-origin data leakage justifies immediate attention, especially for organizations handling PII, financial data, or authentication tokens in web applications. The low attack complexity and requirement only for user interaction make this a credible exploit vector. The absence from CISA's KEV catalog does not diminish urgency; early patching reduces the window of opportunity for attackers to develop and weaponize exploits. Prioritize systems where users regularly access sensitive web portals.

Risk score, explained

The score of 7.4 reflects high confidentiality impact (cross-origin data exposure), network accessibility, low attack complexity, and the need for user interaction. Integrity and availability are not affected. The scope is changed because the impact extends beyond the vulnerable component (renderer) to other origins. Organizations relying on browser-based authentication or storing sensitive data in web apps should treat this as a critical update cycle item; the score alone, combined with functional real-world exploitability, warrants rapid deployment.

Frequently asked questions

Can this vulnerability be exploited without the user clicking anything?

No, the vulnerability requires user interaction in the form of visiting or being redirected to a malicious web page. However, that interaction can be as simple as following a link in an email or a redirect from an ad network, so the bar for triggering the attack is relatively low.

If I update to Chrome 149.0.7827.53, am I fully protected?

Yes, the patch addresses the uninitialized memory issue in Dawn. However, ensure you are running the exact version or later; check chrome://version to confirm. Also update any derived browsers (Edge, Brave, etc.) through their respective channels, as they may use different release schedules.

Does this vulnerability affect Chrome on mobile devices?

Yes, Chrome on both Android and iOS can be affected if running a version prior to 149.0.7827.53. Update through the Google Play Store (Android) or App Store (iOS). Enterprise deployments using managed Chrome should enforce automatic updates.

Is there a workaround if I cannot update immediately?

No complete workaround exists. Mitigations include: using separate browser profiles or instances for sensitive tasks, disabling JavaScript in the browser settings (severe limitation), or temporarily using a different browser for sensitive operations. However, patching is the only reliable fix.

This analysis is based on publicly available information as of June 2026. CVSS scores, patch versions, and affected product lists reflect vendor advisories and official disclosures. Organizations should verify patch availability and compatibility against their specific environment before deployment. No exploit code or weaponized proof-of-concept is provided in this analysis. For the latest vendor updates and technical details, consult Google Chrome's official security advisories and your browser vendor's release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).