CVE-2026-10977: Uninitialized Use in Chrome Skia Renderer—Data Leak Risk
Google Chrome versions before 149.0.7827.53 contain a flaw in Skia (Chrome's graphics rendering engine) that could allow an attacker who has already compromised your browser's renderer process to steal data from websites you visit. The attacker would need to trick you into viewing a specially crafted webpage. This is a real but narrowly scoped risk—it requires the renderer to already be under attacker control, limiting the immediate threat from casual browsing.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10977 is an uninitialized use vulnerability (CWE-457) in the Skia rendering engine bundled with Google Chrome. An attacker with control of the renderer process can construct a malicious HTML page that triggers use of uninitialized memory, leaking cross-origin data that should be isolated by Chrome's sandbox boundary. The vulnerability is reachable via user interaction (viewing a crafted page) but exploitation requires prior renderer compromise. Chromium rates this as High severity; CVSS 3.1 assessment is 6.5 (MEDIUM), reflecting the confidentiality impact and user-interaction requirement.
Business impact
If your organization relies on Chrome for sensitive web applications or SaaS platforms, this vulnerability creates a secondary data-leakage vector for already-compromised endpoints. An attacker who has achieved code execution in the renderer (via a prior exploit, malware, or supply-chain compromise) gains the ability to harvest cross-origin session tokens, API keys, or user data. This extends dwell time value for attackers and elevates the cost of a renderer compromise. For most organizations, the practical risk is moderate unless you operate high-value web applications or process regulated data in the browser.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. This includes all stable, beta, and dev builds released before the fix. Chromium-based browsers that vendor their own Skia build (Edge, Brave, Opera, etc.) may be affected depending on their update cadence and whether they backport the fix. Check vendor advisories for Chromium derivatives. Chrome on all platforms (Windows, macOS, Linux, Android, iOS) is in scope.
Exploitability
Exploitation requires two conditions: (1) the renderer process must already be compromised, and (2) the user must visit a page hosting the malicious HTML. The vulnerability is not a remote code execution vector by itself—it is a post-compromise information leak. An attacker cannot weaponize this through standard phishing or drive-by downloads alone. However, once a renderer is compromised via another flaw, this becomes trivially exploitable. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no active in-the-wild exploitation has been confirmed at time of publication.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will deliver the patch automatically on restart for most users. Enterprise deployments should verify update deployment via Chrome's Device Management reporting. No manual configuration changes or workarounds are needed; patching is the only remediation.
Patch guidance
Google Chrome will auto-update for consumer users, typically within 24–48 hours of release. Enterprises can force deployment via Chrome policies or by updating via official distribution channels (e.g., Windows Update, macOS Software Update, Linux package managers). Verify the installed version by navigating to chrome://version/ or checking Settings > About Chrome. For managed environments, use Google Admin Console to monitor rollout status. No restart is required beyond the standard Chrome auto-restart behavior.
Detection guidance
Monitor Chrome version telemetry and update compliance in your endpoint management tools. Network-level detection of exploitation is difficult because the data leak is in-memory and does not typically generate outbound network artifacts unless the attacker exfiltrates the leaked data via a separate channel. Endpoint detection should focus on (1) presence of unexpected code execution in the renderer process, (2) unusual memory access patterns if behavioral monitoring is in place, and (3) audit logs showing access to sensitive data shortly after a chrome.exe process anomaly. Intrusion detection signatures for Skia exploitation are not yet publicly available due to the post-compromise nature of this flaw.
Why prioritize this
While the CVSS score is MEDIUM (6.5), the practical risk tier depends on your threat model. Prioritize patching in the following order: (1) High—systems running sensitive web applications or handling regulated data; (2) Medium—general enterprise endpoints that may be targets for initial compromise; (3) Low—air-gapped or low-value systems. The lack of KEV designation and absence of in-the-wild exploitation mean this is not an immediate emergency, but it should be treated as a standard critical Chrome security update given Chrome's prevalence.
Risk score, explained
CVSS 3.1 assigns 6.5 (MEDIUM) due to: High confidentiality impact (C:H) from successful cross-origin data leakage, no integrity or availability impact (I:N, A:N), network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction required (UI:R) because the victim must visit the malicious page. Chromium's own severity rating (High) reflects the browser team's assessment that uninitialized-use bugs in rendering engines are frequently exploitable in chain attacks. The discrepancy between CVSS MEDIUM and Chromium High is typical and reflects different rating philosophies; trust Chromium's assessment for Chrome-specific risk.
Frequently asked questions
Do I need to do anything, or will Chrome update automatically?
Chrome will auto-update for most users. Restart Chrome (or your computer) after you see the notification prompt. Enterprise admins should verify rollout via endpoint management dashboards; users can manually check chrome://version/ to confirm they're on 149.0.7827.53 or later.
What data could be leaked if my renderer is compromised?
An attacker with renderer control can leak data from websites you're visiting—session cookies, localStorage, cross-origin tokens, and in-flight data. They cannot access data from sites you're not currently viewing. The leak is limited to what the renderer process has in memory at the moment of exploitation.
Does this affect Chrome extensions or third-party apps?
Chrome extensions run in the same renderer sandbox, so if the renderer is compromised, extensions cannot provide additional protection. Third-party applications that embed Chromium (like Electron apps) may also be affected; check the vendor's security advisories for guidance on updating their bundled Chromium version.
Is this flaw exploited in the wild yet?
No. CISA's Known Exploited Vulnerabilities catalog does not list this CVE as of the publication date, meaning there is no confirmed active exploitation. However, this does not mean it will never be exploited; you should patch promptly as part of routine Chrome security maintenance.
This analysis is provided for informational purposes. SEC.co makes no warranty regarding accuracy, completeness, or fitness for any specific use. CVSS and KEV determinations are sourced from official CVE records and CISA data as of the publication date. Patch version numbers and remediation steps should be verified against official Google Chrome security advisories and your vendor's documentation. Organizations must conduct their own risk assessment and testing in accordance with their change management policies before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10008MEDIUMChrome Android GPU Memory Disclosure Vulnerability
- CVE-2026-10994MEDIUMGoogle Chrome ANGLE Memory Disclosure Vulnerability – Update to 149.0.7827.53
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable
- CVE-2026-10973HIGHChrome Cross-Origin Data Leak via Uninitialized Memory
- CVE-2026-10976HIGHChrome Uninitialized Use Memory Disclosure Vulnerability (CVSS 7.4)
- CVE-2026-26824MEDIUMlibxls Use-of-Uninitialized-Memory Vulnerability
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS