CVE-2026-10999: Google Chrome ANGLE Integer Overflow Information Disclosure
An integer overflow vulnerability exists in ANGLE (a graphics abstraction layer) within Google Chrome on Windows. Before version 149.0.7827.53, this flaw could allow an attacker who already controls the Chrome renderer process to read sensitive data from memory by tricking a user into viewing a specially crafted webpage. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but does not allow the attacker to modify data or crash the browser.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125, CWE-190, CWE-787
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Integer overflow in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10999 is an integer overflow condition in ANGLE's graphics processing pipeline on Windows. The vulnerability spans three weakness categories: out-of-bounds read (CWE-125), integer overflow (CWE-190), and out-of-bounds write (CWE-787). The integer overflow leads to incorrect memory calculations, enabling out-of-bounds memory access that can leak data from the renderer process address space. This is a post-compromise issue—the attacker must already have code execution within the renderer sandbox—but the information disclosure is triggered purely by user interaction with a crafted HTML payload. Chromium assessed this as Medium severity.
Business impact
Information disclosure from Chrome's renderer process could expose user data, session tokens, or cryptographic material depending on what happens to reside in adjacent memory. For organizations using Chrome in sensitive roles (development, financial analysis, classified work), a compromised renderer process combined with this flaw raises the risk of credential or IP theft. The practical impact is moderate because the attack chain requires an intermediate compromise of the renderer process, not direct remote code execution.
Affected systems
This vulnerability affects Google Chrome on Windows versions prior to 149.0.7827.53. macOS and Linux Chrome builds are not mentioned in the advisory, suggesting the integer overflow may be platform-specific to Windows graphics driver interactions or ANGLE's Windows implementation. Organizations standardized on those platforms may not require immediate action, but Windows-based Chrome deployments should prioritize updates.
Exploitability
The vulnerability is not currently on the CISA Known Exploited Vulnerabilities list, indicating no evidence of active weaponization as of the publication date. Exploitation requires a two-step process: first, compromising the Chrome renderer process (via a separate vulnerability or initial malware), then serving the crafted HTML to trigger the integer overflow. This nested requirement limits the practical attack surface compared to a direct remote code execution flaw. However, the low complexity of the exploit chain (once the renderer is compromised) and the user interaction requirement keep it accessible to skilled attackers.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Use Chrome's automatic update mechanism or manually check Settings > About > Google Chrome to force an immediate update check. For Windows environments, admins can enforce updates via group policy or by requiring Chrome to be managed through endpoint management tools. No workarounds exist for the underlying flaw; patching is the only mitigation.
Patch guidance
Verify that Chrome has been updated to version 149.0.7827.53 or a later stable release. Users can confirm their version by navigating to chrome://version or checking Settings > About. For enterprise deployments, audit all Windows systems running Chrome and confirm they report version 149.0.7827.53 or higher. Test patch deployment in non-production environments first to rule out any compatibility issues with internal web applications, though this is a standard Chrome update and should have minimal compatibility impact. Rollout should be prioritized for systems where users handle sensitive information.
Detection guidance
Detection of this specific vulnerability in the wild is challenging because the exploit requires prior renderer compromise and leaves limited forensic traces beyond the crafted HTML file in browsing history or cache. Monitor for unusual Chrome crashes or out-of-memory conditions paired with suspicious websites in browser history. Endpoint Detection and Response (EDR) tools should flag processes spawning from Chrome with unusual API calls or memory patterns. Network-based detection is ineffective against this flaw because it operates within the browser sandbox. Focus on ensuring Chrome updates are deployed universally and on monitoring for the prerequisite renderer compromises (such as from other CVEs or drive-by-download campaigns).
Why prioritize this
Although this is a Medium-severity vulnerability with no current known exploitation, it warrants timely patching because it sits in the graphics processing layer used by all Windows Chrome users. The CVSS score of 6.5 reflects the confidentiality risk without system-level impact. Prioritize updates for endpoints in high-value roles, then roll out broadly within a standard patch cycle (1–2 weeks). The lack of KEV status and the nested attack chain reduce urgency relative to direct RCE flaws, but the widely deployed nature of Chrome means coverage must still be comprehensive.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a network-reachable attack vector (crafted HTML), low attack complexity once the renderer is compromised, no privilege escalation, user interaction required, and confidentiality impact without integrity or availability consequences. The score does not account for the prerequisite renderer compromise, which Chromium's severity rating implicitly captures by assigning Medium rather than High. The practical risk is tempered by the requirement to first breach the sandbox, but the ease of exploitation post-compromise and the sensitivity of data in browser memory justify the 6.5 rating.
Frequently asked questions
Do I need to patch if my organization doesn't use Chrome?
No. This vulnerability is specific to Google Chrome on Windows. If your organization standardizes on Edge, Firefox, or another browser, you are not affected. However, if Chrome is used by any subset of users (particularly in development or sensitive roles), those instances should be patched.
What does 'compromised renderer process' mean, and how would that happen?
The Chrome browser isolates websites in separate processes called renderers for security. A compromised renderer means a separate vulnerability (either in Chrome or a website) allowed an attacker to execute code within that isolated process. This CVE then allows them to read memory from that same process. Typically, this would occur via a prior exploit or a malicious website delivering code via another flaw.
Can this vulnerability steal my passwords or cookies?
Potentially, yes, if passwords or session cookies happen to be in the renderer process memory at the time of exploitation. However, Chrome stores most sensitive data (like saved passwords) in a separate protected storage mechanism, not in renderer memory. The risk is highest for data actively in use by a webpage—form input, authentication tokens, or user content.
Is there a workaround until I can patch Chrome?
No direct workaround exists. The vulnerability is in the core graphics processing layer. Your best interim mitigations are to avoid visiting untrusted websites, use security extensions that block malicious sites, and maintain strong endpoint security to reduce the risk of the prerequisite renderer compromise.
This analysis is based on the CVE record and Chromium security advisory as of the publication and modification dates provided. Vulnerability details, patch versions, and affected product lists are subject to change; always verify against official vendor advisories before deployment. SEC.co does not provide exploit code or weaponization guidance. Organizations should validate patch compatibility in their specific environments before broad rollout. This explainer is for informational purposes and does not constitute professional security advice tailored to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0043MEDIUMAndroid UBSan Integer Overflow Local Privilege Escalation
- CVE-2026-0044MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0052MEDIUMAndroid Integer Overflow Remote Denial of Service Vulnerability
- CVE-2026-0079MEDIUMAndroid Integer Overflow DoS in ubsan_throwing_runtime