MEDIUM 6.5

CVE-2026-10985: Out-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability

A flaw in Skia, the graphics rendering engine used by Google Chrome, allows attackers to read data they shouldn't have access to by crafting a malicious web page. When a user visits such a page, the browser's memory can leak information from other websites or origins, potentially exposing sensitive data. The attack requires user interaction—clicking a link or visiting a hostile site—but doesn't require any special browser permissions or configuration.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10985 is an out-of-bounds read vulnerability in the Skia graphics library integrated into Chromium. The flaw permits a remote, unauthenticated attacker to trigger an out-of-bounds memory read via a specially crafted HTML document. The vulnerability allows leakage of cross-origin data, violating the same-origin policy that normally isolates web content. The Chromium project rated this as High severity; the resulting CVSS score reflects the confidentiality impact while accounting for the requirement of user interaction.

Business impact

This vulnerability puts users at risk of credential theft, session hijacking, or exposure of sensitive information viewed in other browser tabs. Organizations should expect increased phishing and social engineering campaigns designed to trick users into visiting malicious sites. Data breaches affecting customers or employees could result in regulatory fines, reputational damage, and incident response costs. For businesses relying on Chrome as their standard browser, patch delays amplify exposure across the workforce.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable. The Skia library is embedded in Chromium-based browsers, so other browsers built on Chromium (Edge, Brave, Opera, etc.) may also be affected; users should consult those vendors' advisories for specific version guidance. Desktop, mobile, and sync scenarios all present risk vectors.

Exploitability

Exploitation requires a victim to visit an attacker-controlled or compromised website. The attack is remotely deliverable with no privilege escalation required. While user interaction is necessary, the bar is low—a simple visit suffices. No special browser settings or prior compromise is needed. The accessibility of web-based exploitation makes this threat credible in the wild, though no evidence of active exploitation appears in public advisories at time of publication.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Browser auto-update should handle deployment, but verify completion across your fleet. If your organization uses Chromium-based alternatives (Edge, Brave, Opera), patch those browsers to the corresponding patched versions released by their respective vendors. Test patched versions in a non-production environment first if you maintain custom configurations or extensions.

Patch guidance

Google Chrome will auto-update to the patched version; however, users should manually check Settings > About Chrome to force an immediate check and restart. Organizations using managed browser deployments should consult their MDM or configuration management system to confirm the update policy targets version 149.0.7827.53 or later. Verify successful patching by confirming the version string in chrome://version/ matches or exceeds the fixed release. For Chromium-based browsers from other vendors, consult their official security advisories to obtain the equivalent patched version.

Detection guidance

Monitor Chrome version telemetry and browser inventory tools to identify systems still running versions before 149.0.7827.53. Check MDM logs for failed or delayed updates. Network-based detection of attacks is difficult because the malicious HTML is delivered over standard HTTPS; focus on endpoint telemetry and crash dumps if available. Monitor for unusual memory access patterns or GPU-related errors in browser crash reports, though these are not reliable indicators. User reports of unexpected data leaks or cross-site anomalies may signal exploitation attempts.

Why prioritize this

Although rated MEDIUM by CVSS, the ease of exploitation, cross-origin data leakage impact, and prevalence of Chrome in the workforce justify urgent patching. The low bar for user interaction and the confidentiality-only impact (no code execution) align with a measured but swift response—not emergency-level, but high in the monthly patch cycle. Organizations should treat this as a priority patch to complete within 7–14 days.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a network-accessible vulnerability with low complexity and no privilege required, offset by the requirement for user interaction and the absence of integrity or availability impact. The High confidentiality rating captures the cross-origin data leakage. Real-world risk is elevated by Chrome's ubiquity, making this a common attack surface for threat actors seeking to steal credentials or session tokens.

Frequently asked questions

Can the attacker execute code or take over my system?

No. This vulnerability is limited to reading out-of-bounds memory and leaking cross-origin data. It does not enable arbitrary code execution, privilege escalation, or system compromise. However, the leaked data could include passwords, tokens, or other secrets that may enable downstream attacks.

Do I need to do anything if I have auto-update enabled?

Chrome's auto-update feature should deploy version 149.0.7827.53 automatically, but deployment may lag by a few hours or days. You can force an immediate update by navigating to Settings > About Chrome, which will check and install any pending updates. Verify completion by checking the version string.

Are other browsers affected?

Chromium-based browsers such as Microsoft Edge, Brave, and Opera may include the vulnerable Skia code. Check their official security advisories and update accordingly. Firefox and Safari use different rendering engines and are not affected by this specific Skia vulnerability.

How can I avoid exploitation in the meantime?

Avoid visiting unfamiliar or untrusted websites, especially those in suspicious emails or messages. Be cautious with links from unknown sources. Keeping your browser updated is the most reliable defense. If you cannot patch immediately, consider using a secondary browser or limiting sensitive activity in Chrome until the patch is deployed.

This analysis is based on publicly available information as of the publication and modification dates provided. CVSS scores, patch versions, and vulnerability status are provided as stated by the vendor and KEV catalog. Organizations must verify patch compatibility and test in their own environments before broad deployment. No active exploitation has been confirmed at publication; threat landscape may evolve. For authoritative guidance, consult Google's official security advisory and your vendor's patch documentation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).