Cyber Resilience

CVE-2026-10973

High

Published: 04 June 2026

Published
04 June 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0086 53.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-10973 is a high-severity Use of Uninitialized Variable (CWE-457) vulnerability in Google Chrome. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 46.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an uninitialized use flaw (CWE-457) in the Dawn component of Google Chrome versions prior to 149.0.7827.53. It carries a CVSS 3.1 score of 7.4 and was rated High severity by the Chromium project, affecting the browser's ability to safely handle certain graphics-related operations before memory initialization occurs.

A remote attacker can exploit the issue by serving a crafted HTML page that triggers the uninitialized memory access. Successful exploitation allows leakage of cross-origin data, with the attack requiring user interaction via the UI but operating over the network with no privileges needed and changed scope in the CVSS model.

The referenced Chrome stable channel update and associated Chromium issue tracker entry indicate that the flaw is resolved by upgrading to version 149.0.7827.53 or later.

The EPSS score has remained flat at 0.0482 with no material rise after disclosure.

EU & UK References

Vulnerability details

Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 149.0.7827.53

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References