MEDIUM 5.3

CVE-2026-11004: Chrome ANGLE Out-of-Bounds Read Memory Disclosure

CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is an out-of-bounds read (CWE-125) in ANGLE, Chrome's graphics abstraction layer. The flaw allows an attacker operating within a compromised renderer process to construct a specially crafted HTML page that triggers an out-of-bounds memory access. This read operation can leak sensitive information resident in process memory. The vulnerability affects Chrome prior to version 149.0.7827.53 on Windows, macOS, and Linux systems.

Business impact

This vulnerability poses a secondary data exposure risk in multi-stage attack chains. Once an attacker has already compromised a renderer process (via another vulnerability or phishing), CVE-2026-11004 enables them to harvest sensitive data from Chrome's memory—potentially including cached credentials, session tokens, or other sensitive information. Organizations should prioritize closing the initial attack vector rather than treating this as a standalone entry point, but timely patching limits an attacker's toolkit after renderer compromise.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are vulnerable on all major platforms: Windows, macOS, and Linux. Any user or system running an unpatched Chrome browser is at risk if a renderer process is compromised through a separate attack vector.

Exploitability

Exploitation requires two conditions: (1) the attacker must first compromise Chrome's renderer process through another vulnerability or social engineering, and (2) the user must then visit or interact with a crafted HTML page. The CVSS score of 5.3 (Medium) reflects this two-stage requirement. Exploitation is not trivial or remotely triggerable in isolation; it is a post-compromise tactic rather than an initial access vector. KEV status is not active, indicating no widespread exploitation in-the-wild has been reported as of the data collection date.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome typically auto-updates, but users should verify their installed version via Chrome menu > About > Chrome or Settings. Administrators managing browser deployments should ensure update policies enforce this version floor. Additionally, maintain vigilance against the primary attack vectors (such as browser exploits or phishing) that would allow initial renderer process compromise.

Patch guidance

Install Chrome 149.0.7827.53 or any subsequent version released after June 4, 2026. Users with auto-update enabled should receive this patch automatically; verify successful installation by navigating to About Chrome. Enterprise administrators should confirm patch deployment across managed devices and consider setting Chrome to auto-update if not already configured. No interim mitigations are documented; patching is the primary remediation.

Detection guidance

Direct detection of exploitation attempts is difficult without browser instrumentation. Organization-level detection efforts should focus on: (1) confirming Chrome versions across deployed devices to identify unpatched instances, (2) monitoring for anomalous memory access patterns if you have deep visibility into browser process behavior, and (3) tracking for indicators of the upstream compromise vector (the attack that first compromises the renderer). Intrusion detection systems tuned to catch browser exploit patterns will indirectly help prevent the prerequisite renderer compromise.

Why prioritize this

While the CVSS score is Medium (5.3), this vulnerability should be treated as a supporting element in a broader attack strategy rather than a critical standalone risk. Prioritize patching to deny attackers an additional data exfiltration technique post-compromise, but do not let it overshadow efforts to prevent renderer process compromise in the first place. Teams should patch within their standard update cycles, prioritizing systems that face high-risk browsing activity or handle sensitive data.

Risk score, explained

The CVSS 5.3 (Medium) score reflects: Attack Vector (Network), Access Complexity (High), Privileges Required (None), User Interaction (Required), Scope (Unchanged), Confidentiality Impact (High), Integrity (None), and Availability (None). The 'High' complexity and requirement for user interaction reduce the raw severity. However, the High confidentiality impact is offset by the fact that exploitation requires prior renderer compromise, lowering the overall numeric score. This represents a real but conditional information disclosure risk.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2026-11004 is an out-of-bounds read that leaks memory; it does not enable code execution. An attacker still needs to compromise the renderer process first through another means, then uses this flaw to extract sensitive data. Remediation must address both the initial access vector and this secondary exploitation step.

Are Chrome users on all platforms equally at risk?

Yes, the vulnerability affects Chrome on Windows, macOS, and Linux. There is no platform-specific mitigation or bypass. All users should update to version 149.0.7827.53 or later regardless of operating system.

If I have Chrome set to auto-update, am I protected?

Most likely, but verify. Auto-update should have installed version 149.0.7827.53 or later by now. Check your version via About Chrome to confirm. If you see a version number below 149.0.7827.53, manually trigger an update or contact your IT team.

What kind of sensitive information could be leaked?

The vulnerability allows reading arbitrary memory from the Chrome process, which could include cached credentials, session tokens, browsing history fragments, or other data the browser holds in memory. The specific content depends on what the attacker targets with their crafted HTML page.

This analysis is based on vulnerability data as of June 17, 2026. Security information, exploitation status, and patch availability may change. Always verify patch versions and remediation guidance against official vendor advisories before deployment. This vulnerability requires prior renderer process compromise; it is not an independent attack vector. Organizations should address both the upstream compromise mechanism and this secondary exploitation path as part of a holistic security strategy. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).