CVE-2026-10019: Chrome ANGLE Integer Overflow Enables Cross-Origin Data Leak
A vulnerability in Google Chrome's ANGLE graphics library (versions before 148.0.7778.216) allows attackers to trick users into visiting a malicious webpage that leaks sensitive data from other websites the user is currently viewing. The flaw stems from improper handling of large numbers in memory calculations, which an attacker can exploit to read cross-origin information that should remain isolated. Users on Windows, macOS, and Linux systems running affected Chrome versions are at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-472
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10019 is an integer overflow vulnerability (CWE-472) in ANGLE, Google's graphics abstraction layer for WebGL and hardware acceleration. When processing specially crafted rendering commands, inadequate bounds checking permits an integer to exceed its maximum value, causing memory allocation calculations to wrap around. This allows attackers to access heap memory regions containing data from cross-origin contexts, bypassing the same-origin policy that normally isolates websites from each other. The vulnerability requires user interaction—the victim must visit or be redirected to the attacker's webpage—but does not require elevated privileges or complex system configuration.
Business impact
Organizations face data exfiltration risk if employees browse untrusted websites while authenticated to sensitive web applications. Customer data, authentication tokens, proprietary information, and personal identifiable information could leak to attackers. Financial institutions, healthcare providers, law firms, and SaaS platforms hosting confidential data are at elevated risk. Incident response costs, regulatory notification obligations (GDPR, HIPAA, state privacy laws), and reputational damage compound the business impact. Additionally, widespread use of Chrome in enterprise environments means the attack surface is large.
Affected systems
Google Chrome versions prior to 148.0.7778.216 on Windows, macOS, and Linux systems are vulnerable. Chrome on mobile platforms (Android, iOS) running the same or earlier versions should also be assessed. The vulnerability does not affect other Chromium-based browsers unless they bundle the vulnerable ANGLE version; however, Edge, Opera, and Brave users should verify patch status. The vulnerability is not a kernel or OS-level issue, so patches to Windows, macOS, or Linux kernel alone will not mitigate it—Chrome must be updated specifically.
Exploitability
Exploitation requires moderate attacker sophistication. The attacker must craft a malicious HTML page with WebGL or graphics operations that trigger the integer overflow, then convince or redirect a user to that page. No authentication or special system access is required. The user merely needs to visit the compromised site while authenticated to another service; they do not need to click further or disable security settings. The CVSS score of 8.8 reflects the high attack surface (network-accessible), low barrier to entry (no authentication), and high impact (confidentiality and integrity). The vulnerability is not currently in active public exploit or the CISA KEV catalog, but the attack is well within the capability of nation-state and sophisticated cybercriminal groups.
Remediation
Immediately update Google Chrome to version 148.0.7778.216 or later. Chrome automatically downloads updates but may require a browser restart to apply them; users can verify the installed version in Chrome's about menu. For organizations, deploy Chrome updates via ADMX policies (Windows) or MDM profiles (macOS, mobile) to enforce uniformity. Disable or restrict access to untrusted websites through network policies if possible, though this is not a substitute for patching. Users on unsupported OS versions (e.g., Windows 7, very old macOS) should upgrade their operating system or consider alternative browsers if Chrome updates are unavailable.
Patch guidance
Verify your installed Chrome version by navigating to chrome://settings/help, which displays the current version and initiates an auto-update if available. Version 148.0.7778.216 or any subsequent 148+ release addresses this vulnerability. After updating, restart the browser to ensure the new code is loaded. For enterprise deployment, refer to Google's official Chrome Enterprise release notes and ADMX templates to confirm version 148.0.7778.216 availability in your managed environment. Test patches in a pilot group before organization-wide rollout. Mobile users should update Chrome through their platform's app store; auto-update settings can be enabled to streamline future patches.
Detection guidance
Endpoint detection and response (EDR) solutions can monitor for abnormal WebGL or graphics API calls, though signature-based detection is difficult without Chrome's internal instrumentation. Log browser crashes or WebGL context losses, which may indicate exploitation attempts. Network-based detection is impractical for this vulnerability, as the exploit traffic is encrypted HTTPS between the user and the attacker's site. Focus instead on ensuring rapid patch deployment and monitoring for anomalous data exfiltration (outbound connections from browsers containing sensitive data). Gather Chrome version inventory across endpoints to identify stragglers. If breach suspected, examine browser cache, history, and session data for evidence of visits to suspicious domains during the window of vulnerability exposure.
Why prioritize this
Although classified as Medium severity by Chromium, the CVSS score of 8.8 reflects High risk due to full confidentiality compromise, potential integrity impact, and user-level availability disruption. The lack of KEV status does not diminish urgency—the vulnerability affects billions of Chrome users and has straightforward exploitation requirements. Cross-origin data leakage can compromise entire organizations if employees are targeted. Patch availability is immediate and non-disruptive, making remediation low-cost. Prioritize this for patching within 48–72 hours, particularly for roles with access to sensitive systems.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) is justified by: (1) Attack Vector Network—the malicious page is served over the internet to any Chrome user; (2) Attack Complexity Low—no special conditions beyond crafting a webpage; (3) Privileges Required None—no authentication or elevation needed; (4) User Interaction Required—the user must visit the page, but this is easily achieved via phishing or compromised ads; (5) Scope Unchanged—the impact is confined to the user's browser session; (6) Confidentiality High—cross-origin data is fully readable; (7) Integrity High—attackers can inject or modify data within the browser context; (8) Availability High—a malicious page could crash or render the browser unresponsive. The gap between Chromium's 'Medium' rating and the CVSS 8.8 likely reflects Google's conservative risk model; the CVSS vector more accurately captures the practical threat.
Frequently asked questions
Does this vulnerability affect Chrome on Android and iOS?
Yes, Chrome for Android and iOS versions prior to 148.0.7778.216 are vulnerable. Update through the Google Play Store or Apple App Store respectively. Tablets running older Chrome versions are also at risk.
Can an attacker steal my password or payment card information with this flaw?
If your password or card details are currently loaded in another browser tab or are cached by a web application, yes—an attacker could leak that data. The vulnerability bypasses the same-origin policy, allowing the malicious page to read cross-origin memory. Avoid keeping multiple sensitive sessions open in the same browser while this remains unpatched.
Do I need to do anything if I've already updated Chrome to version 148+?
No. If chrome://settings/help shows version 148.0.7778.216 or higher, you are protected and no further action is needed for this CVE. Continue enabling auto-update to stay protected against future vulnerabilities.
Is this vulnerability actively being exploited in the wild?
As of the publication date (May 28, 2026), there are no confirmed reports of active exploitation in the wild, and the vulnerability is not on CISA's KEV catalog. However, the straightforward nature of the attack means threat actors will likely develop exploits soon. Do not delay patching based on absence of current public exploitation.
This analysis is provided for informational purposes and represents the state of public information as of June 17, 2026. SEC.co makes no warranties regarding the accuracy, completeness, or timeliness of this content. Readers must independently verify all patch versions, supported platforms, and remediation steps against official vendor advisories and release notes. This document does not constitute professional security advice; organizations should engage qualified security professionals for incident response, risk assessment, and remediation planning. CVE-2026-10019 analysis reflects publicly available information and community research; any discrepancies with official Google or vendor guidance should be resolved in favor of the vendor's guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10015HIGHChrome WTF Integer Overflow RCE Vulnerability Analysis
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10963HIGHChrome V8 Integer Overflow RCE – Sandbox Escape Vulnerability
- CVE-2026-10964HIGHGoogle Chrome V8 Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-10965HIGHChrome DevTools Integer Overflow Remote Code Execution
- CVE-2026-10986HIGHChrome Integer Overflow in Media Processing – Patch Now