CVE-2026-10979: Chrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
A flaw in the ANGLE graphics library used by Google Chrome before version 149.0.7827.53 allows attackers to read memory outside intended bounds. An attacker can craft a malicious HTML page that, when visited by a user, extracts sensitive data from Chrome's process memory—such as authentication tokens, encryption keys, or other confidential information. Exploitation requires user interaction (clicking a link or visiting a site) but no special privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10979 is an out-of-bounds read vulnerability in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer underlying Chrome's rendering pipeline. The flaw permits reading memory regions beyond the bounds of an allocated buffer, classified as CWE-125 (Out-of-bounds Read). A remote attacker delivers a crafted HTML page via network; when rendered by a vulnerable Chrome instance, the malformed content triggers the out-of-bounds read during graphics processing. The attacker gains read access to arbitrary process memory without modifying data or causing denial of service. The Chromium project assigned this a High security severity rating.
Business impact
This vulnerability poses a confidentiality risk to Chrome users. Attackers can harvest sensitive data resident in Chrome's memory—including session credentials, cached passwords, API keys, or personal information from loaded web pages—without triggering obvious signs of compromise. The attack requires user click-through but no social engineering expertise beyond standard phishing or malvertising tactics. Organizations relying on Chrome for secure web access should prioritize updates, particularly if users regularly handle sensitive data in-browser or access high-value cloud services via Chrome.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. This includes all Chrome releases on Windows, macOS, and Linux distributions carrying the affected version range. The vulnerability does not affect other Chromium-based browsers unless they incorporate the same vulnerable ANGLE code without remediation. Users on auto-update may already be protected if their instance has reached version 149.0.7827.53 or later.
Exploitability
Exploitability is moderate to moderately high. The attack surface is broad (any website or HTML-bearing content) and requires only user interaction—visiting a malicious page or clicking a link. No authentication, elevated privileges, or complex user actions are needed beyond standard browsing. However, reliable exploitation depends on precise crafting of graphics commands to trigger the read at a desired memory offset, which may require attacker reconnaissance of the target process layout. The out-of-bounds condition itself is not user-controlled in terms of which memory is read, limiting attacker precision without additional information leaks.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically rolls out patches within hours to days of release. Verify the updated version via Chrome's About page (chrome://about or Chrome menu > About Google Chrome), which will confirm the installed build number. For enterprise environments, administrators should trigger policy-driven updates or validate endpoint compliance through device management tools. No workarounds exist short of disabling JavaScript or restricting web content, which is impractical for normal browsing.
Patch guidance
Google's Chromium security releases are delivered via the stable channel. Users with auto-update enabled should receive version 149.0.7827.53 automatically within a short window. Enterprise administrators managing Chrome via policy should verify rollout to their fleet and confirm build numbers via reporting tools. Extended support channels (ESR versions, if applicable) will receive patches on their respective schedules—consult your organization's Chrome deployment model. Test the update in a non-critical environment first if your organization makes updates centrally, though this patch addresses a remote code execution precursor and should be deployed with urgency.
Detection guidance
Monitor for signs of exploitation via network-based and endpoint-based telemetry. Network sensors should flag suspicious HTML served from known malicious domains or C2 servers. Endpoint detection should monitor for Chrome crashes or unexpected memory access patterns during graphics rendering, though out-of-bounds reads may execute silently if the attacker successfully exfiltrates data. Browser forensics and memory dumps of Chrome processes after suspected compromise may reveal telltale artifacts of crafted graphics commands. Consider deploying content filtering to block known phishing or malvertising campaigns leveraging this CVE. Monitor for derivative attacks (credential misuse, lateral movement) following memory disclosure.
Why prioritize this
Although the CVSS score is 6.5 (MEDIUM), the practical risk is elevated for environments where Chrome users access sensitive services or handle valuable data in-browser. The vulnerability is remotely exploitable with only user interaction required, making it suitable for mass-targeting via malvertising or watering-hole tactics. The confidentiality impact (high) and the difficulty in detecting attacks post-exploitation elevate concern. This should not be deferred; treat it as priority for deployment within the first week of patch availability, particularly for high-value user populations.
Risk score, explained
The CVSS v3.1 score of 6.5 reflects attack vector: network, attack complexity: low, no privileges required, user interaction required, and high confidentiality impact with no integrity or availability impact. The score is conservative relative to real-world risk because it does not account for the high frequency of Chrome use in modern enterprises, the difficulty of detecting silent memory exfiltration, or the prevalence of phishing-based attack chains. Organizations handling PII, credentials, or intellectual property in-browser should consider this a 7 or higher for internal risk scoring.
Frequently asked questions
Will I be compromised if I visit an affected website?
Visiting a website with a crafted payload may allow the attacker to read memory from your Chrome process, but successful exploitation depends on precise alignment with your system's memory layout and whether the attacker can deliver the payload reliably. Most users will not be targeted; however, high-profile targets and mass campaigns are both plausible. Update Chrome promptly and remain cautious about clicking links in emails or messages from untrusted sources.
Does this affect Chrome on mobile devices?
Chrome for Android and iOS use the same Chromium engine and ANGLE library on some platforms. Consult Google's security advisories for mobile-specific version numbers and availability. Mobile users should update through their respective app stores (Play Store, App Store) using the same urgency as desktop users.
Can I be exploited if JavaScript is disabled?
Out-of-bounds reads in graphics processing can occur through WebGL and other hardware-accelerated rendering APIs. Disabling JavaScript alone is insufficient; the vulnerability can be triggered through HTML5 canvas or WebGL calls initiated by the page structure itself. Full mitigation requires updating Chrome or using a blocking extension for graphics-heavy content.
Is there a workaround if I cannot update immediately?
No safe workaround exists. Restricting browsing to trusted internal sites or using a browser policy to block untrusted content can reduce exposure. However, these are temporary measures. Prioritize updating within 24–48 hours if possible, or isolate the machine from high-risk browsing until patched.
This analysis is provided for informational purposes and reflects the vulnerability status as of the publication date. CVSS scores and severity ratings are as assigned by the Chromium project and NIST; your organization's risk tolerance may differ. Patch availability and version numbers should be verified against official Google Chrome security advisories. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct internal testing before broad deployment in production environments. This document does not constitute legal, compliance, or professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-0076HIGHAndroid ResourceTypes.cpp Out-of-Bounds Read Privilege Escalation
- CVE-2026-10017HIGHChrome Sandbox Escape via Out-of-Bounds Read in Headless Mode