CVE-2026-11005: Out-of-Bounds Read in Chrome ANGLE on Windows
A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11005 is an out-of-bounds read vulnerability (CWE-125) in ANGLE, Google's OpenGL ES abstraction layer used in Chrome's rendering engine. The flaw exists in Google Chrome on Windows versions prior to 149.0.7827.53. The vulnerability requires a compromised renderer process and user interaction (visiting a crafted HTML page) to trigger. The attacker exploits improper memory bounds checking in ANGLE's graphics code, allowing them to read beyond allocated buffer boundaries and leak sensitive data from the renderer process address space. The CVSS 3.1 score of 5.3 reflects the high confidentiality impact, high attack complexity, and need for user interaction.
Business impact
For organizations with Windows users running Chrome, this vulnerability poses a moderate information disclosure risk. The primary concern is exfiltration of sensitive data resident in renderer process memory—such as cached credentials, session tokens, or other sensitive page content. Since exploitation requires a prior renderer compromise, this is typically part of a multi-stage attack chain. Affected users may face credential theft or session hijacking if sensitive information is accessed. The vulnerability does not enable code execution or denial of service, limiting its standalone impact but making it valuable as a secondary exploitation vector in targeted campaigns.
Affected systems
Google Chrome on Windows prior to version 149.0.7827.53 is vulnerable. The flaw is specific to the Windows platform and ANGLE's implementation within Chrome. Users on macOS and Linux are not affected by this particular issue, as they do not use ANGLE in the same way. Chrome users on Windows should prioritize updating, particularly if they browse untrusted content or are targets of sophisticated attacks. No specific Windows versions are restricted; the vulnerability affects all supported Windows releases running the vulnerable Chrome versions.
Exploitability
Exploiting this vulnerability requires a multi-step process, which moderates the overall exploitability. First, an attacker must compromise Chrome's renderer process through a separate vulnerability or method. Once the renderer is compromised, the attacker serves a crafted HTML page that triggers the out-of-bounds read in ANGLE's graphics processing code. User interaction is required—the victim must visit the malicious page. The attack complexity is high because conditions must align: a prior compromise, successful rendering of the crafted content, and user participation. No public exploit code or active exploitation has been reported in the wild. This is not a publicly known exploit as of the publication date.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on Windows systems. Chrome's automatic update mechanism will prompt users to restart their browser to apply the patch. Security teams should verify that auto-update is enabled across their environment or use Chrome's enterprise policies to enforce timely patching. Organizations can use Chrome Update Management via Group Policy (Windows domain environments) or commercial endpoint management platforms to enforce rapid deployment. No workarounds exist short of updating; users cannot mitigate the risk through configuration changes alone.
Patch guidance
Verify that Google Chrome has been updated to version 149.0.7827.53 or later. Users can confirm their version by navigating to chrome://settings/help in the address bar, which displays the current version and triggers an update check if needed. For enterprise deployments, admins should audit Chrome versions via Mobile Device Management (MDM) solutions or endpoint telemetry. After patching, users should close and reopen all Chrome windows to ensure the updated version is fully loaded. Test that ANGLE-dependent features (3D graphics, WebGL) function correctly post-patch, though issues are unlikely.
Detection guidance
Endpoint Detection and Response (EDR) tools should monitor for out-of-bounds memory access patterns in Chrome renderer processes, though this requires deep behavioral analysis of ANGLE execution. Network detection is limited unless the malicious HTML payload has distinctive signatures. Organizations can enable Chrome security logging via group policy to track renderer crashes or unusual memory access events. Monitor for unexpected renderer process restarts or crashes following user browsing activity—ANGLE exploits may trigger memory protection violations. Log Chrome update deployment to verify remediation across managed devices. Intrusion Detection Systems (IDS) may flag suspicious network traffic associated with delivering the crafted HTML, but detection depends on payload obfuscation and delivery method.
Why prioritize this
This vulnerability warrants prompt but not emergency patching. The CVSS 5.3 (Medium) rating and lack of KEV status indicate it is not actively exploited at scale in the wild. However, the information disclosure nature makes it valuable to sophisticated attackers targeting specific users or organizations. Prioritize patching for high-value targets, security-sensitive roles, or high-risk users who frequently browse untrusted content. General user populations should patch within normal update windows (days to weeks). The requirement for prior renderer compromise means this is not a one-click exploitation scenario, reducing urgency compared to remote code execution vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a Medium severity classification driven by: (1) High confidentiality impact—sensitive memory can be read; (2) Network-based attack vector—the payload is delivered via a webpage; (3) High attack complexity—prior renderer compromise and specific trigger conditions are required; (4) Requirement for user interaction—the user must visit the malicious page; (5) No integrity or availability impact—data is read-only, no modification or system disruption occurs. The score appropriately captures the information disclosure risk while acknowledging the substantial barriers to exploitation.
Frequently asked questions
Can I be exploited if I just visit a malicious website normally?
No. The attacker must first compromise your renderer process through a separate vulnerability. Visiting a webpage alone, even with this ANGLE flaw present, does not expose you to attack. This vulnerability is a secondary exploitation step, not a direct entry point.
Does this vulnerability affect Chrome on Mac or Linux?
No. The vulnerability is specific to ANGLE on Windows. Chrome on macOS and Linux use different graphics rendering approaches and are not affected by this particular flaw.
What exactly can an attacker steal from process memory?
An attacker can read any data currently resident in the compromised renderer process's memory. This may include cached page content, session tokens, JavaScript variables, or other sensitive information depending on what the browser has loaded. The exact data is determined by what is in memory at the moment of exploitation.
How quickly should we patch this?
Prioritize based on your risk profile. High-value targets and users handling sensitive data should patch within days. General users can patch within the normal Chrome update cycle (typically within a week or two). Since active exploitation isn't reported and the attack requires a prior compromise, this is not an emergency-level patch, but timely application remains important.
This analysis is provided for informational purposes and represents SEC.co's assessment based on available vulnerability data as of the publication date. Vendor advisories and patch information should be verified against official sources. The vulnerability details and exploitability assessment are based on the CVE description and CVSS vector; real-world exploitation may vary. Organizations should conduct their own risk assessments tailored to their environment and threat model. No warranty is provided regarding the accuracy or completeness of this analysis. Always consult official vendor security advisories for authoritative patch guidance and compatibility information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability