MEDIUM 6.5

CVE-2026-11033: Chrome macOS WebML Memory Disclosure Vulnerability

A memory initialization flaw in Chrome's WebML component on macOS allows attackers to steal sensitive data. When a user visits a malicious webpage, the browser may leak uninitialized memory contents—potentially exposing passwords, tokens, or other private information—without requiring any special user interaction beyond loading the page. The issue affects Chrome versions before 149.0.7827.53 on Apple's macOS.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11033 is an uninitialized use vulnerability (CWE-457) in the WebML subsystem of Google Chrome on macOS prior to version 149.0.7827.53. The vulnerability allows a network-based attacker to trigger information disclosure from process memory via a crafted HTML page. The attack requires user interaction (viewing a webpage) but no privilege escalation or system access. Chromium classified this as Medium severity; CVSS 3.1 assigns it a score of 6.5 (Medium) with a confidentiality impact rated high, reflecting exposure of sensitive in-memory data without integrity or availability impact.

Business impact

Information disclosure vulnerabilities in browsers pose direct risk to organizational data. Employees browsing the web on macOS systems running vulnerable Chrome versions could inadvertently leak session tokens, authentication credentials, or cached sensitive data stored in process memory. For enterprises with bring-your-own-device policies or significant macOS user bases, this creates a compliance and data loss exposure. Threat actors need only host a malicious page and wait for users to visit—no exploit kit or zero-day sophistication required. Data exfiltration is passive and may go undetected by standard endpoint monitoring.

Affected systems

Google Chrome on macOS versions prior to 149.0.7827.53 are vulnerable. The vulnerability is specific to macOS and does not affect Chrome on Windows, Linux, Android, or iOS. Organizations should inventory Chrome installations on macOS endpoints and verify which users or systems remain unpatched. Third-party applications embedding Chromium on macOS may also require assessment if they package vulnerable versions of the rendering engine.

Exploitability

Exploitability is moderate to high in practical terms. An attacker needs only to craft a malicious HTML page and induce users to visit it—no advanced social engineering or convincing pretext is strictly necessary if the page is hosted on a compromised legitimate domain or watering-hole site. User interaction is required (opening the page) but this is a low barrier in real-world scenarios. No elevated privileges, authentication, or local access are needed. The attack is reliable once triggered, making it suitable for broad, opportunistic campaigns targeting macOS users.

Remediation

Update Google Chrome on macOS to version 149.0.7827.53 or later. Google Chrome auto-updates by default, but administrators should verify completion via the Chrome menu (Chrome > About Google Chrome) to confirm the installed version. For enterprises managing multiple macOS endpoints, enforce Chrome updates via Mobile Device Management (MDM) or configuration management tools to ensure timely patching across the fleet.

Patch guidance

Verify your macOS Chrome version by navigating to Chrome > About Google Chrome; the browser will automatically check for and install updates. If you are on a version earlier than 149.0.7827.53, restart Chrome to apply the patch. For managed environments, deploy Chrome version 149.0.7827.53 or later via your MDM solution (Jamf, Intune, etc.) and confirm rollout completion within 24–48 hours. Consider temporarily restricting browsing to known-safe internal sites on unpatched systems if immediate patching is not feasible.

Detection guidance

Detection at the network or endpoint level is challenging because the attack vector is a legitimate browser loading a webpage. Focus on Chrome version inventory and ensure your device management system flags any installations below 149.0.7827.53. Monitor for unusual browser crashes or error logs mentioning WebML—though these are not reliable indicators. Behavioral detection of process memory exfiltration is difficult without kernel-level monitoring. The best detection strategy remains asset inventory and patch compliance reporting.

Why prioritize this

While scored Medium (6.5 CVSS), this vulnerability merits prioritization for several reasons: (1) it affects macOS, where enterprise patch rates are often lower than for Windows systems; (2) exploitability is trivial—a simple malicious webpage suffices, with no advanced capability required; (3) the impact is data exposure without user-facing symptoms, making it attractive for espionage or credential harvesting; (4) Chrome is ubiquitous in modern workforces. Organizations should treat this as a high-priority patch deployment despite its Medium severity rating.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: Attack Vector (Network) = high reach; Attack Complexity (Low) = easily exploitable; Privileges Required (None); User Interaction (Required) = reduces slightly from maximum; Scope (Unchanged) = no privilege boundary crossed; Confidentiality (High) = sensitive memory may be leaked; Integrity and Availability (None) = no system damage or service disruption. The Medium rating appropriately captures that while the impact is confidentiality-focused and limited to data exposure, the low barrier to exploitation and high reach elevate practical risk above the raw numeric score in most organizational contexts.

Frequently asked questions

Does this vulnerability affect Chrome on Windows or Linux?

No. CVE-2026-11033 is specific to macOS. Chrome on Windows, Linux, Android, and iOS are not affected by this particular uninitialized use flaw in WebML.

Do I need to do anything if auto-update is enabled?

Chrome auto-updates by default, but it requires a restart to apply the patch. Verify your version via Chrome > About Google Chrome; if you see 149.0.7827.53 or later and no restart banner, you are patched. If an older version is shown, restart your browser immediately.

Can this vulnerability be exploited without the user visiting a malicious site?

The vulnerability requires a user to view a crafted webpage. It cannot be triggered remotely without user action, so legitimate browsing habits and basic caution reduce exposure. However, watering-hole attacks and compromised legitimate websites can lower the friction of luring victims to malicious content.

Is there an exploit available for this vulnerability?

There is no indication that this vulnerability is actively exploited in the wild or included in known public exploit frameworks at this time. However, the simplicity of the attack (crafted HTML) means weaponization is straightforward, and you should not assume it will remain unexploited indefinitely.

This analysis is provided for informational purposes to help security teams prioritize and respond to CVE-2026-11033. SEC.co does not warrant the accuracy or completeness of third-party vendor advisories referenced herein. Always verify patch versions and remediation steps directly with Google's official Chrome release notes and your organization's MDM or patch management system. Exploitation details and proof-of-concept code are intentionally omitted to reduce harm. This document does not constitute legal, compliance, or liability advice. Your organization's risk tolerance, asset inventory, and business continuity requirements should inform final remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).