{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6364", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-15T14:28:38.705Z", "datePublished": "2026-04-15T19:04:59.385Z", "dateUpdated": "2026-04-16T13:53:06.236Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.101", "status": "affected", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out of bounds read", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:59.385Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/502103414"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:47:22.053484Z", "id": "CVE-2026-6364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:53:06.236Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:47:22.053484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:47:04.906Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "147.0.7727.101", "lessThan": "147.0.7727.101", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"url": "https://issues.chromium.org/issues/502103414"}], "descriptions": [{"lang": "en", "value": "Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "Out of bounds read"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-15T19:04:59.385Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6364", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:53:06.236Z", "dateReserved": "2026-04-15T14:28:38.705Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-15T19:04:59.385Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)"}], "id": "CVE-2026-6364", "lastModified": "2026-04-16T14:16:20.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T20:16:43.910", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/502103414"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Skia: Google Chrome: Chromium: Skia: Information disclosure via out-of-bounds read in Google Chrome", "id": "2458786", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458786"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in Skia, a 2D graphics library used in Google Chrome. This vulnerability, an out-of-bounds read, allows a remote attacker to exploit it by tricking a user into opening a specially crafted file. Successful exploitation could lead to the disclosure of potentially sensitive information from the affected system's memory."], "name": "CVE-2026-6364", "public_date": "2026-04-15T19:04:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6364\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6364\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html\nhttps://issues.chromium.org/issues/502103414"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,147.0.7727.101)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T06:26:20.096893+00:00", "value": {"mitigation_remediation": ["Update Chrome to version\u202f147.0.7727.101 or newer.", "Restrict opening of untrusted or unknown files that might trigger the exploit.", "Keep Chrome\u2019s sandboxing and Safe Browsing features enabled to limit exposure."], "summary": {"action": "Patch", "impact": "Remote memory data disclosure"}, "threat_synthesis": {"affected_systems": "Google Chrome versions prior to 147.0.7727.101 on all supported operating systems are affected. The flaw originates in the Skia library, so any installation of Chrome that uses that library is at risk, regardless of the user\u2019s platform.", "description_and_impact": "This vulnerability is an out\u2011of\u2011bounds read in the Skia graphics subsystem used by Google Chrome. A crafted file can trigger the read and expose data from Chrome\u2019s process memory, enabling an attacker to retrieve potentially sensitive information. The Chromium team rates the severity as Medium.", "risk_and_exploitability": "The estimated probability of exploitation is low and the vulnerability has not been listed in the CISA catalog of known exploited vulnerabilities. However, the vulnerability carries a medium severity rating of 6.5 on the Common Vulnerability Scoring System, indicating a notable risk. An attacker can exploit this remotely by delivering a crafted file that a user opens; Chrome will then read memory outside the bounds of the image buffer. The exploit requires only that the user view the file and does not depend on elevated privileges, making it accessible through social engineering or phishing. Once the out\u2011of\u2011bounds read occurs, an attacker can capture arbitrary data such as cookies or cached credentials stored in memory."}}}}, "created": "2026-04-15T22:00:06.468295+00:00", "updated": "2026-04-17T06:30:11.608325+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}