CVE-2026-10976: Chrome Uninitialized Use Memory Disclosure Vulnerability (CVSS 7.4)
A memory disclosure vulnerability exists in Google Chrome's graphics engine (Dawn) that could allow an attacker to read sensitive data from Chrome's process memory. The flaw stems from uninitialized variables being used without proper initialization checks. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. The issue affects Chrome versions before 149.0.7827.53.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10976 is an uninitialized use vulnerability (CWE-457) in the Dawn graphics library component of Google Chrome. Uninitialized variables in graphics processing operations can retain remnants of prior process memory. When an attacker-controlled HTML page triggers specific rendering operations, these uninitialized buffers may be exposed through side channels or direct memory access patterns. The vulnerability requires user interaction (visiting a malicious page) but does not require elevated privileges, and the impact crosses security boundaries within the browser context (CVSS vector: AV:N/AC:L/PR:N/UI:R/S:C).
Business impact
Confidentiality impact is high: attackers could extract encryption keys, session tokens, cached credentials, or other sensitive data resident in Chrome process memory. Since the attack requires only network access and user interaction, any organization where employees browse untrusted sites faces exposure. For sensitive workflows (financial services, healthcare, government), this vulnerability could compromise data governance and regulatory compliance postures. Indirect impacts include potential supply-chain reconnaissance if attackers target development or security teams.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability is specific to the Chrome browser; other Chromium-based browsers may be affected depending on their version status and whether they incorporate the vulnerable Dawn code. Organizations must verify the Chrome version deployed across their environment; automated patching policies should prioritize this update.
Exploitability
Exploitability is moderate to high. No CISA KEV inclusion indicates the vulnerability is not yet widely exploited in the wild or not part of documented active campaigns. However, the low attack complexity (AC:L), lack of privilege requirements (PR:N), and need only for user interaction (UI:R) make this practical for opportunistic attacks. Proof-of-concept techniques are likely to emerge quickly given the public disclosure. Sophisticated threat actors targeting specific individuals or organizations could craft convincing phishing contexts to increase click-through rates.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism should deploy the patch automatically for most users, but verify successful update on critical systems. Organizations using managed Chrome deployments should push the update through policy configuration tools (Google Admin Console, Chromebook management, or enterprise deployment systems). After patching, confirm via chrome://version that the build number reflects 149.0.7827.53 or higher.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later across all instances. For enterprise environments: (1) Verify patch availability through your Chrome update channel (Stable, Beta, Dev); (2) Test the patch in a controlled environment to confirm no compatibility issues with line-of-business applications; (3) Push updates via MDM/EMM or Group Policy for managed devices; (4) Monitor update status via Chrome Management reporting; (5) Prioritize workstations and devices handling sensitive data. For consumer users, enable automatic updates in Chrome settings (chrome://settings/help) to ensure timely patching.
Detection guidance
Monitor for unusual memory access patterns or crashes in Chrome processes that coincide with visits to untrusted domains. Web proxy and DNS logs should be reviewed for connections to known malicious or suspicious HTML-serving infrastructure. Endpoint detection and response (EDR) tools should flag anomalous process memory reads or unexpected data exfiltration from Chrome. Look for evidence of crafted HTML files in browser cache or temp directories. Network detection should identify requests with suspicious DOM manipulation or graphics API calls that could trigger the vulnerability. Test your detection stack with samples or indicators published by Google's security team or trusted threat intelligence providers.
Why prioritize this
This vulnerability merits immediate patching due to its high confidentiality impact, low barrier to exploitation, and potential to compromise secrets in process memory. The lack of KEV status should not be misinterpreted as low risk; it indicates the vulnerability has not yet been observed in mass exploitation or ransomware campaigns, not that it is benign. Prioritize systems used by security teams, finance staff, remote workers, and any personnel handling authentication or encryption material. The user-interaction requirement (visiting a malicious page) makes it a practical social engineering vector.
Risk score, explained
CVSS 3.1 score of 7.4 (High) reflects: (1) Network-accessible attack vector with no authentication needed, enabling broad reachability; (2) Low attack complexity—no special techniques or system-specific knowledge required to craft a triggering HTML page; (3) User interaction required, reducing the attack pool but not eliminating it in phishing or watering-hole scenarios; (4) Scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component; (5) High confidentiality impact as sensitive data in process memory is exposed; (6) No integrity or availability impact. The score appropriately reflects a serious but not critical issue—patches are available, and user awareness can partially mitigate risk.
Frequently asked questions
Can an attacker steal my passwords or credit card data with this vulnerability?
Potentially. If your passwords or sensitive payment information are in Chrome's process memory at the moment you visit a malicious page, the attacker could read them. This is most likely if you've recently logged into banking or e-commerce sites. For this reason, we recommend updating Chrome immediately and considering a password manager reset if you've visited untrusted sites recently.
Does this affect Chrome on mobile devices?
Google Chrome versions prior to 149.0.7827.53 across all platforms (Windows, macOS, Linux, Android, iOS) are potentially affected. Verify your mobile Chrome version in the app's settings and ensure updates are enabled. On iOS, Chrome updates are tied to App Store updates; on Android, updates are typically automatic but can be checked via Google Play Store.
If I have auto-updates enabled, am I already protected?
Likely, but verify. Chrome typically auto-updates within 24–48 hours of release. Check your version at chrome://version. If the version number is below 149.0.7827.53, manually trigger an update via chrome://settings/help. Enterprise deployments may have delayed rollout schedules, so don't assume immediate patch deployment.
Is this vulnerability being actively exploited?
No KEV (Known Exploited Vulnerabilities) listing indicates it is not part of documented active campaigns tracked by CISA. However, absence of public reports does not mean no exploitation is occurring; targeted attacks or exploit development in restricted circles may be underway. The vulnerability's practical exploitation window is open until most users patch, so we recommend treating it as a high priority.
This analysis is provided for educational and risk management purposes. Verify all technical details, patch versions, and vendor guidance against official sources: Google Chrome security advisories, the National Vulnerability Database (NVD), and your vendor's patch bulletins. This document does not constitute legal or compliance advice. Organizations should validate patch compatibility with their specific configurations before broad deployment. Exploit code and detailed attack techniques are not provided in this summary; refer to your threat intelligence provider or vendor advisories for additional operational security context. SEC.co and its authors disclaim liability for decisions made based on this summary. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable
- CVE-2026-10973HIGHChrome Cross-Origin Data Leak via Uninitialized Memory
- CVE-2026-10008MEDIUMChrome Android GPU Memory Disclosure Vulnerability
- CVE-2026-10977MEDIUMUninitialized Use in Chrome Skia Renderer—Data Leak Risk
- CVE-2026-10994MEDIUMGoogle Chrome ANGLE Memory Disclosure Vulnerability – Update to 149.0.7827.53
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-26824MEDIUMlibxls Use-of-Uninitialized-Memory Vulnerability
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure