HIGH 8.1

CVE-2026-10930: Chrome ANGLE Out-of-Bounds Read on macOS

An out-of-bounds read vulnerability in ANGLE (the graphics translation layer used by Chrome on macOS) allows attackers to read sensitive memory from your system by tricking you into visiting a malicious website. The flaw affects Chrome versions before 149.0.7827.53 on Apple macOS. While the attacker cannot directly modify data or take control of your system through this specific vulnerability, they can extract confidential information—including passwords, encryption keys, or other sensitive data stored in memory—and cause Chrome to crash.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10930 is an out-of-bounds read vulnerability in ANGLE on Chrome for macOS. The vulnerability arises from improper bounds checking in memory access operations, falling under CWE-125 (Out-of-bounds Read). When a user visits a specially crafted HTML page, the malicious content triggers ANGLE's graphics processing to read memory beyond allocated buffer boundaries. This allows extraction of adjacent heap or stack memory contents. The attack requires user interaction (visiting the malicious page) but no authentication or system-level privileges. The attack surface is the Chrome rendering engine itself, making any user viewing untrusted web content at risk.

Business impact

Organizations relying on macOS and Chrome face potential data exfiltration from browser memory, which could include cached credentials, session tokens, or other sensitive information. In industries handling proprietary data, healthcare records, or financial information, unauthorized memory disclosure creates compliance and intellectual property risks. The requirement for user interaction (clicking a link or visiting a site) means targeted phishing or watering-hole campaigns are the likely attack vectors. Widespread exploitation could result in credential compromise across a user population, enabling follow-on attacks against corporate infrastructure. System stability is also at risk due to the availability impact component.

Affected systems

Google Chrome versions prior to 149.0.7827.53 running on Apple macOS. The vulnerability does not affect Chrome on Windows, Linux, or other platforms, nor does it affect other browsers. macOS versions are not specified as a limiting factor; the issue lies in Chrome's ANGLE implementation. Organizations should audit Chrome deployment versions on macOS infrastructure and user endpoints.

Exploitability

Exploitability is moderate to high in practice. While the vulnerability requires user interaction (visiting a malicious page), the attack is remotely triggerable over the network with no authentication. The CVSS score of 8.1 (High) reflects high impact (confidentiality and availability) combined with low attack complexity. Attackers do not need ANGLE or Chrome expertise—a crafted HTML file hosted on any website or delivered via email can trigger the flaw. However, active exploitation requires targeting users with outdated Chrome on macOS, suggesting a targeted rather than mass-worm scenario. KEV status is not active, indicating limited evidence of weaponized public exploits at publication.

Remediation

Immediate patching is required. Users and administrators must update Google Chrome to version 149.0.7827.53 or later on macOS systems. Organizations should prioritize macOS Chrome deployment in patch management workflows, particularly for users handling sensitive data. Endpoint management tools can enforce automatic updates or restrict Chrome on unpatched systems. Until patching is complete, supplementary controls include restricting access to untrusted websites, disabling extensions that could deliver malicious content, and segmenting sensitive data handling to non-macOS systems or updated browsers.

Patch guidance

Verify and deploy Google Chrome version 149.0.7827.53 or later on all affected macOS systems. Most users can enable automatic updates; corporate environments should validate patch deployment through MDM or browser policy controls. After patching, restart Chrome or the system to ensure the update is active. Test critical web applications and extensions post-update to confirm functionality. Organizations managing multiple macOS devices should establish a phased rollout to detect compatibility issues early before full deployment.

Detection guidance

Monitor Chrome process behavior and memory access patterns for anomalies, though direct detection of exploitation at the binary level is challenging without specialized instrumentation. Log access to systems hosting crafted HTML pages, especially from macOS Chrome user-agents. EDR tools may flag unusual memory corruption or crash dumps from Chrome. Examine browser history and network logs for unexpected visits to unusual domains or low-reputation sites that could serve attack payloads. Since the vulnerability requires malicious HTML delivery, monitor email gateways and web proxies for delivery of HTML files or links to known exploitation hosting. Threat intelligence feeds may identify adversary infrastructure related to CVE-2026-10930 campaigns.

Why prioritize this

This vulnerability warrants high priority due to its CVSS score of 8.1, high impact on confidentiality (memory disclosure of sensitive data), and broad user base of macOS Chrome users. The combination of remote network attack, low complexity, and no authentication requirement makes it an attractive target for targeted espionage or credential theft. While KEV status is not active, the vulnerability's design—requiring only user interaction to visit a malicious page—means attack campaigns are feasible. Organizations handling regulated data or high-value intellectual property should prioritize patching within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects: Attack Vector (Network) and low Attack Complexity (no special conditions needed), resulting in a readily exploitable flaw. User Interaction (Required) prevents mass-worm scenarios but is still low friction in phishing contexts. Scope (Unchanged) indicates the impact is isolated to Chrome. The high severity is driven by high Confidentiality impact (memory disclosure of sensitive data) and high Availability impact (system crash potential). The vulnerability does not permit code execution or privilege escalation, keeping the score below 9.0.

Frequently asked questions

Does this vulnerability affect my organization if we don't use Chrome on macOS?

No. CVE-2026-10930 is specific to Chrome on macOS. If your organization uses Chrome exclusively on Windows or Linux, or uses other browsers, you are not directly affected. However, if any users or contractors use personal Chrome on macOS, or if remote workers do so, the risk extends beyond managed infrastructure.

What does 'out-of-bounds read' mean, and why is it dangerous?

An out-of-bounds read occurs when software accesses memory outside its intended boundaries. In this case, ANGLE reads past the end of a graphics buffer. This can expose adjacent memory containing passwords, encryption keys, session tokens, or other sensitive data. It is dangerous because attackers can extract confidential information without modifying systems or being detected by traditional intrusion detection focused on code execution.

Will patching break existing extensions or web applications?

Chrome security patches rarely cause compatibility issues with web applications or well-maintained extensions. Test the patch in a lab environment on representative macOS systems before rollout. If you run custom or legacy extensions, verify their compatibility post-update. In most cases, the update is seamless.

What should I do if I cannot patch immediately?

Until you patch, restrict users from visiting untrusted websites, disable browser extensions except those essential for business, and consider temporarily routing macOS Chrome traffic through a proxy with content filtering. More robustly, isolate unpatched macOS systems from handling sensitive data or restrict their web access to whitelisted, approved sites only. However, these are temporary mitigations—patching remains the only complete fix.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The vulnerability details, CVSS score, and affected versions are based on official vendor advisories and CVE records current as of the publication date. Readers must verify patch availability and compatibility with their specific configurations before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and does not provide legal advice. Organizations should conduct independent testing and consult vendor documentation for authoritative guidance. Exploitation of CVE-2026-10930 remains subject to applicable laws and ethical standards. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).