HIGH 8.1

CVE-2026-11015: Critical Chrome WebGPU Out-of-Bounds Read Vulnerability

A memory reading flaw in Google Chrome's WebGPU component allows attackers to read data outside the intended memory boundaries when a user visits a specially crafted website. The vulnerability requires user interaction (visiting a malicious page) but does not require special privileges, and while the attacker cannot modify data or directly crash the browser, they can extract sensitive information from the process's memory—such as passwords, keys, or other confidential data stored there.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in WebGPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11015 is an out-of-bounds (OOB) read vulnerability in the WebGPU subsystem of Chromium-based browsers, classified as CWE-125. The flaw permits remote code execution context (network attacker) to trigger memory reads beyond allocated buffer boundaries via crafted HTML delivered to a victim's browser. The vulnerability exists in Google Chrome versions prior to 149.0.7827.53. While WebGPU operations are typically sandboxed, the ability to read arbitrary process memory can bypass isolation mechanisms and leak sensitive data. The CVSS 3.1 score of 8.1 (HIGH) reflects high confidentiality impact and high availability risk, offset by the requirement for user interaction and single-security-boundary scope.

Business impact

Organizations where users browse untrusted content face increased risk of credential and data theft. A successful exploit could exfiltrate session tokens, encryption keys, or cached sensitive information from browser memory, potentially enabling account takeover or lateral movement. For enterprises with strict data handling policies, any unauthorized memory disclosure may trigger compliance violations. The attack surface is broad—any website or advertisement network could serve the malicious payload—making widespread exploitation feasible if the vulnerability becomes widely known before patching.

Affected systems

Google Chrome prior to version 149.0.7827.53 is the primary affected product. The WebGPU feature is available on Windows, macOS, and Linux systems running vulnerable Chrome releases. While the CVE references other operating systems (Windows, macOS, Linux) in the vendor list, the vulnerability is specific to the Chromium browser engine; other applications on these OS platforms are not directly affected unless they embed Chromium or implement WebGPU independently.

Exploitability

The vulnerability is readily exploitable from the network without authentication. An attacker need only craft a malicious HTML page and deliver it to victims through a website, ad network, or email link. User interaction is required—the user must visit or view the page—but no special configuration or advanced social engineering is necessary. Given WebGPU's growing adoption for graphics-intensive web applications, the attack surface is expanding. Exploitation does not require local access, and the barrier to weaponization is moderate; however, the fact that this is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog suggests active exploitation has not been widespread as of the data snapshot.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically rolls out patches within days; users can manually check for updates via Settings > About > Google Chrome to accelerate installation. Organizations should enforce automated updates or use enterprise policy to mandate patching. For users who cannot immediately update, avoiding untrusted websites and disabling WebGPU (if feasible through enterprise policy) reduces exposure, though full remediation requires the patch.

Patch guidance

Deploy Chrome 149.0.7827.53 or newer via your standard browser update channels. Enterprise customers should verify the patch version in their deployment systems and confirm rollout across managed devices. If your organization uses Chromium-based browsers other than Chrome (Brave, Edge, Vivaldi), check with those vendors for corresponding patches, as they may lag behind the upstream Chromium release. Test patches in a non-production environment first, particularly if you have extensions or custom web applications that rely on WebGPU functionality.

Detection guidance

Monitor for anomalous memory access patterns or JavaScript console errors related to WebGPU on systems running Chrome versions before 149.0.7827.53. Endpoint detection tools should flag attempts to load WebGPU context with crafted shader or buffer objects. Network-level detection is difficult because the payload is typically inline HTML and JavaScript; focus on behavioral indicators such as unusual data exfiltration from browser processes or repeated visits to known malicious domains. Host-based tools can identify unpatched Chrome versions and alert security teams, enabling targeted outreach for priority patching.

Why prioritize this

Although the Chromium security severity is listed as Medium, the CVSS score of 8.1 is HIGH due to significant confidentiality impact (high probability of sensitive data disclosure) and high availability risk. The attack surface is massive—billions of Chrome users—and the barrier to exploitation is low. The lack of KEV listing suggests this may still be in the early post-disclosure window, making rapid patching critical before widespread weaponization. Organizations should treat this as a P1 or P2 priority based on user exposure and data sensitivity.

Risk score, explained

The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) yields 8.1 because network accessibility, low attack complexity, and no privilege requirement lower the barrier to exploitation. High confidentiality impact reflects the memory disclosure risk; the lack of integrity impact (cannot modify data) prevents a higher score. High availability impact acknowledges that memory corruption could cause process crashes or service interruption. The requirement for user interaction (UI:R) prevents a critical rating, but the overall profile remains high-risk given the ubiquity of the affected software.

Frequently asked questions

Does this vulnerability affect all Chrome users or only those using WebGPU?

All Chrome users are at risk, but exploitation specifically targets WebGPU functionality. If WebGPU is not in use on a particular website, that site alone cannot exploit this flaw. However, because WebGPU is increasingly embedded in web applications for graphics rendering, the effective attack surface is very broad. Users have no easy way to know in advance whether a website uses WebGPU, so the practical risk applies to most users.

Can I disable WebGPU to protect myself until I patch?

Some enterprise environments can disable WebGPU via Group Policy or similar controls. However, this may break legitimate web applications that depend on it. Disabling WebGPU is a temporary mitigation, not a substitute for patching. The most secure approach is to apply the patch immediately rather than rely on workarounds.

Is this vulnerability exploited in the wild?

As of the data snapshot, this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active mass exploitation has not been reported. However, the lack of a KEV listing does not guarantee safety; proof-of-concept code may exist in private forums, and exploitation could begin at any time. Prioritize patching as if in-the-wild exploitation is imminent.

What data could an attacker steal using this flaw?

Attackers can read memory allocated to the Chrome process, which may contain session cookies, stored passwords, cryptographic keys, cached HTTP responses, or data from other open tabs or extensions. The extent of leakage depends on browser configuration and what sensitive data happens to be in memory at the time of exploitation. Assume worst-case: any unencrypted sensitive data in the browser's address space is at risk.

This analysis is based on publicly disclosed CVE data and vendor advisories current as of the publication date. Patch version numbers and technical details should be verified against the official Google Chrome Security Release documentation. This vulnerability is not known to be actively exploited in the wild at the time of writing, but exploitation status can change rapidly. Organizations should treat this as a high-priority patch regardless of current KEV status. SEC.co does not provide legal advice; organizations should consult their own security and compliance teams regarding disclosure and remediation timelines. No exploit code or proof-of-concept is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).