HIGH 8.8

CVE-2026-10955: Type Confusion in Chrome ANGLE on Windows – Critical Patch Required

A type confusion vulnerability exists in ANGLE, the graphics abstraction layer used by Google Chrome on Windows. An attacker can craft a malicious web page that, when visited by a user, exploits this flaw to access memory outside intended boundaries. This could lead to information disclosure, data corruption, or system crashes. The vulnerability requires user interaction (visiting a malicious page) but needs no special privileges to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-843
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Type Confusion in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10955 is a type confusion vulnerability (CWE-843) in ANGLE, Google Chrome's GPU abstraction layer on Windows. The flaw allows remote code execution through out-of-bounds memory access when processing specially crafted HTML content. The attack vector is network-based with low complexity; exploitation requires user interaction but no authentication. The vulnerability affects Chrome versions prior to 149.0.7827.53. Type confusion vulnerabilities in graphics drivers and rendering engines are particularly dangerous because they often operate in privileged contexts and handle untrusted input (web content) at scale.

Business impact

This vulnerability poses a significant risk to any organization where employees use Chrome on Windows systems to access the internet. A successful exploit could result in credential theft, intellectual property theft, or installation of persistent malware. The requirement for user interaction means targeted phishing campaigns combining this vulnerability with social engineering could be particularly effective. Organizations relying on Chrome as their primary browser face elevated risk until patching is complete, especially in industries handling sensitive data or intellectual property.

Affected systems

Google Chrome on Microsoft Windows prior to version 149.0.7827.53 is vulnerable. The vulnerability does not affect Chrome on other platforms (macOS, Linux, Android, iOS) or non-ANGLE based browsers. Windows systems running Chrome are the sole target. Organizations should verify their Chrome version to determine exposure scope.

Exploitability

Exploitation requires crafting a malicious HTML page and convincing a user to visit it, which is a moderate barrier but achievable through phishing, compromised advertisements, or malicious websites. Once a user visits the page, exploitation is reliable and does not require user awareness or additional interaction beyond the initial visit. No public exploit code is known to exist at this time, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the simplicity of the attack surface (any website, any HTML) means this could be weaponized quickly once attack code is published.

Remediation

Immediate remediation is to update Google Chrome to version 149.0.7827.53 or later on all Windows systems. Chrome typically auto-updates, but administrators should verify completion. For organizations unable to patch immediately, restrict Chrome usage to internal, vetted websites and disable plugin execution if feasible. Consider browser isolation or sandboxing solutions for high-risk users accessing untrusted content. Verify patch deployment across your fleet before considering the vulnerability resolved.

Patch guidance

Update Chrome via Settings > About Chrome, which typically triggers an automatic update check. Organizations managing Chrome through Active Directory or mobile device management should push version 149.0.7827.53 or higher. Verify the patch by checking Chrome version (chrome://version) across representative systems. Test patch deployment in a non-production environment first if your organization uses Chrome extensions or internally-hosted web applications, to ensure compatibility. Google typically releases patches on Tuesdays; check the Chrome Releases blog for confirmation of availability.

Detection guidance

Monitor Chrome version inventory across Windows endpoints using endpoint detection and response (EDR) tools or mobile device management platforms. Look for browsers reporting versions below 149.0.7827.53. Web application firewalls may detect exploit attempts if they include suspicious JavaScript patterns targeting graphics processing or memory manipulation, though ANGLE vulnerabilities are often difficult to detect at the network layer. Endpoint telemetry may show unusual GPU memory access or renderer process crashes as indirect indicators of exploit attempts. Prioritize detection of unpatched systems over detection of active exploitation, given the vulnerability is not yet widely exploited.

Why prioritize this

This vulnerability warrants urgent attention due to its high CVSS score (8.8), network attack vector, low attack complexity, and potential for broad impact across Windows-using organizations. The requirement for user interaction is the primary mitigating factor, but it does not substantially lower risk given how frequently employees browse the web. The lack of KEV status indicates no known widespread exploitation yet, providing a window to patch before real-world attacks materialize. Organizations should treat this as a critical priority for Windows Chrome users.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects a high-severity vulnerability with significant impact potential. The score components: AV:N (network-exploitable from any website), AC:L (low attack complexity—no special conditions required), PR:N (no privileges needed), UI:R (user interaction required—visiting a page), S:U (no scope escalation), and confidentiality/integrity/availability all set to High (full impact possible). The score appropriately captures the balance between broad exploitability and the user-interaction requirement. The Chromium security team's 'High' severity rating aligns with this CVSS assessment.

Frequently asked questions

Does this affect me if I use Chrome on macOS or Linux?

No. CVE-2026-10955 is specific to the Windows implementation of ANGLE in Chrome. macOS and Linux users are not affected, as those platforms use different graphics rendering paths.

What if Chrome auto-update is disabled in my organization?

You must manually push version 149.0.7827.53 or later to all Windows systems. Use Chrome's enterprise deployment tools, Group Policy (for Windows domains), or mobile device management platforms to enforce the update. Verify completion before considering the vulnerability mitigated.

Can I be exploited if I simply have Chrome installed but don't use it?

Only if you visit a malicious or compromised website while Chrome is your active browser. Simply having the application installed without browsing does not expose you. However, if users might accidentally open links in Chrome, the risk remains.

Is there a workaround if I can't patch immediately?

There is no complete workaround, but you can reduce risk by directing users to use alternative browsers for untrusted content, disabling JavaScript in Chrome (though this breaks most websites), or using browser isolation technology. These are temporary measures only; patching is the proper solution.

This analysis is based on publicly available vulnerability data current as of June 2026. CVSS scores and vendor advisories are subject to revision; verify patch version numbers and availability against official Google Chrome and Microsoft security bulletins before deployment. This explainer does not constitute security advice for your specific environment; tailor remediation and detection strategies to your organization's risk tolerance and technical constraints. SEC.co makes no warranty regarding the completeness or accuracy of this vulnerability analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).