MEDIUM 4.0

CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability

CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in Media in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform an out of bounds memory read via malicious network traffic. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is a heap or stack out-of-bounds read (CWE-125) in the media codec processing subsystem of Chromium. When Chrome's media player processes malicious network traffic from an attacker on the local network segment, it fails to validate memory boundaries correctly, allowing the attacker to read data outside intended buffer limits. The flaw does not provide direct code execution or crash capability—it is purely an information disclosure issue. The CVSS 3.1 score of 4.0 (Medium) reflects the local attack vector (AV:L), low complexity (AC:L), no privilege requirement, and confidentiality impact limited to the reading of sensitive data without integrity or availability compromise.

Business impact

Information disclosure from browser memory could expose user session tokens, cached credentials, encryption keys, or other sensitive data processed by the browser. In enterprise environments where employees access internal web applications or cloud services, this could lead to lateral movement or privilege escalation if stolen credentials are reused. The local-network requirement limits exposure to users on corporate WiFi networks or shared office networks, but does not eliminate the risk in environments with untrusted device connectivity. Regulatory impact depends on the sensitivity of data exposed; PII or payment card data in memory could trigger breach notification obligations.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability affects Chrome running on Windows, macOS, and Linux systems. While the CVE references these operating systems as affected platforms, the vulnerability is fundamentally in the Chromium media engine, so all Chrome deployments on these OS versions are in scope. Users of Chromium-based browsers built from source code prior to the patched version may also be affected, though the CVE does not explicitly name those derivatives.

Exploitability

Exploitation requires the attacker to be on the same local network segment as the victim. The attack complexity is low, and no user interaction is required—the malicious network traffic can be sent directly to the target. However, the practical window for exploitation is narrowed by the specificity of the media handling code; the attacker must craft network packets that the browser actually processes through its media codec pipeline. This is not a trivial remote code execution; it is a targeted memory read requiring knowledge of Chrome's internal memory layout. Patch adoption rates and network segmentation practices will influence real-world risk.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically rolls out patches within days; check Settings > About Chrome to force an immediate update. For managed enterprise deployments, configure group policies or mobile device management to enforce minimum Chrome version requirements. Consider network segmentation to restrict untrusted devices from accessing your corporate network segment, which directly reduces the attack surface. Users on guest or open WiFi networks should assume higher risk until patched.

Patch guidance

Google released version 149.0.7827.53 as the stable release addressing this vulnerability. Verify the exact patch version against the official Chrome release notes and security advisory. Enterprise administrators should use Chrome Enterprise policy settings to enforce auto-updates or stage the rollout through managed deployment pipelines. The patch is incremental and does not require special migration steps; existing user data and settings are preserved. Test patch compatibility with internal web applications if your organization relies on older web standards; however, this is a security patch and should not introduce compatibility regressions.

Detection guidance

Monitor browser access logs for unusual network traffic patterns originating from local network segments, particularly if correlated with media playback or codec processing errors. Browser error logs may show media processing failures or memory violations around the time of exploitation, though attackers will attempt to trigger the flaw silently. Endpoint detection and response (EDR) tools can flag unusual memory access patterns or browser process behavior. Network monitoring between trusted and untrusted devices on the same segment may reveal reconnaissance or exploit attempt traffic, though payload inspection is difficult without decryption. Prioritize patch deployment as the primary detection mitigation.

Why prioritize this

This vulnerability merits prompt but not emergency remediation. The CVSS score of 4.0 and Medium severity reflect the local-network-only attack requirement and information-disclosure-only impact. However, the zero-complexity exploitation, lack of user interaction, and potential exposure of sensitive cached data make it more pressing than typical Medium-severity issues. Organizations with high-value user sessions (financial services, healthcare, government) should prioritize this higher. The vulnerability is not yet on the CISA Known Exploited Vulnerabilities list, suggesting limited real-world exploitation to date, but this may change as details become public. Recommend applying patches within 2–3 weeks of stable release, sooner for high-security environments.

Risk score, explained

The CVSS 3.1 vector AV:L (Attack Vector: Local) and AC:L (Attack Complexity: Low) establish a baseline moderate risk. The scope is unchanged (S:U), meaning the attacker cannot impact other systems. Confidentiality impact is Low (C:L)—data can be read but the exposure is constrained to the attacked process memory. Integrity and Availability are unaffected (I:N, A:N). The resulting score of 4.0 accurately reflects a memory disclosure vulnerability that does not lead to system compromise or widespread data exfiltration, but poses enough risk to credential and session data to warrant timely patching. Real-world risk elevation occurs in environments with high-value cached data or shared network access.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. This is a memory information disclosure vulnerability, not a code execution flaw. An attacker can read data from memory outside normal boundaries but cannot execute arbitrary code or crash the browser. The impact is limited to confidentiality; integrity and availability are not affected.

Can I be exploited if I'm not on a local network with the attacker?

No. The vulnerability requires the attacker to be on the same local network segment as your device. It cannot be exploited over the internet or through a firewall if your network is properly segmented. Users behind a NAT or corporate firewall are safer unless the attacker is also inside that network.

Will updating Chrome affect my saved passwords or bookmarks?

No. The patch (version 149.0.7827.53 or later) is a security update that does not modify the database structure for stored data. Your passwords, bookmarks, extensions, and browsing history will remain intact after the update.

What should I do if I suspect this vulnerability was exploited against me?

Update Chrome immediately to the latest version. Review your browser's stored passwords and consider changing credentials for high-value accounts (email, banking, corporate access) if the device has been on an untrusted network. Monitor your accounts for suspicious activity. If you handle sensitive data professionally, notify your security team for forensic analysis and credential reset recommendations.

This analysis is based on the CVE record and official vendor advisory as of the published date. Actual exploitability, patch availability, and real-world impact may evolve. Organizations should verify patch version numbers and availability against official Google Chrome release notes and their own vendor advisories before deployment. This document does not constitute legal advice and should not be relied upon as the sole basis for security decisions. Consult your internal security team and vendor advisories for definitive guidance on your specific environment. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).