MEDIUM 6.5

CVE-2026-11044: Chrome ANGLE Integer Overflow on macOS – Information Disclosure Risk

A memory access bug in Chrome's graphics engine (ANGLE) allows an attacker to steal sensitive data from your browser's memory. The attacker simply needs to trick you into visiting a malicious webpage—no special privileges or software manipulation required. This affects Mac users running Chrome versions before 149.0.7827.53. The vulnerability is classified as medium severity because while an attacker can read data from memory, they cannot crash your browser or modify files.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-190, CWE-472
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Integer overflow in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11044 is an integer overflow vulnerability residing in ANGLE, Google's graphics abstraction layer used by Chromium-based browsers. Integer overflows occur when arithmetic operations exceed the maximum value a variable can hold, causing wraparound to unexpected values. In this case, the overflow corrupts memory allocation or pointer calculations, allowing an attacker to read out-of-bounds memory regions containing potentially sensitive process data. The vulnerability requires user interaction (visiting a crafted HTML page) and operates within the context of a single process, limiting the scope of exposure. Apple macOS is listed as an affected vendor because Chrome on macOS uses the vulnerable ANGLE code path.

Business impact

Data exfiltration from browser memory poses a real but contained risk to organizations. Users on macOS who browse untrusted sites or receive phishing links may have credentials, tokens, or cached session data extracted. For enterprises relying on Chrome as a standard browser, an unpatched fleet creates a window for targeted attacks against high-value targets. The medium CVSS score reflects that exploitation requires social engineering and yields information disclosure only—not system takeover. Organizations with strict security policies around browser usage or those managing sensitive data should treat this as a priority patch cycle item rather than an emergency.

Affected systems

Google Chrome on macOS versions prior to 149.0.7827.53 are vulnerable. The vulnerability does not affect Chrome on Windows or Linux, nor does it affect other Chromium-based browsers automatically—each vendor must integrate the patched ANGLE code. macOS users of other Chromium derivatives (Edge, Brave, Opera) should check their respective version timelines for when ANGLE patches were backported.

Exploitability

Exploitation is straightforward from an attacker's perspective: no authentication, network access, or special privileges are needed. However, the attack is not wormable or self-propagating. An attacker must craft a malicious HTML page and direct users to it via phishing, watering-hole attacks, or malvertising. The requirement for user interaction to click a link or visit a site slightly raises the bar compared to zero-click vulnerabilities. Once a user lands on the page, the integer overflow is triggered automatically by the browser's graphics rendering engine. The vulnerability has not yet been observed in active exploit campaigns (KEV status is false as of the source data date), indicating it remains theoretical in the wild at this time.

Remediation

Update Chrome to version 149.0.7827.53 or later on all macOS systems. Chrome's auto-update mechanism typically deploys new versions within 24–48 hours of release, but verify deployment in your environment. For managed deployments, push the update through your mobile device management (MDM) or endpoint management platform to ensure timely coverage. No workarounds or mitigations are available—patching is the only remediation. Users on older Chrome versions who cannot immediately patch should avoid visiting untrusted websites or clicking suspicious links pending the update.

Patch guidance

Check your current Chrome version by navigating to Chrome menu > About Google Chrome, which will show your installed version and initiate an automatic update if one is available. Verify that macOS systems have received version 149.0.7827.53 or higher. If you manage Chrome deployments via enterprise policies or MDM, confirm that auto-update policies are enabled or manually push the patched version. For organizations with a change control process, schedule the update for the next maintenance window but prioritize it given the information disclosure risk. Test the update in a non-critical environment first if your policy requires it, though patch compatibility issues are rare for point releases. Document the patch application date for compliance auditing purposes.

Detection guidance

Monitor Chrome version inventory across your macOS fleet using your endpoint detection and response (EDR) tool, asset management system, or MDM platform. Flag any systems still running versions below 149.0.7827.53 for immediate remediation. Network detection is difficult because the attack manifests as anomalous browser memory access that is not easily visible at the network layer. If your organization uses threat intelligence feeds or has access to phishing or malvertising campaigns targeting this vulnerability, monitor for delivery infrastructure and block URLs at the gateway if identified. No specific IDS/IPS signatures are currently available for the memory corruption itself, but behavioral anomalies in a browser process accessing unexpected memory regions might trigger EDR alerts if configured for memory integrity monitoring.

Why prioritize this

Prioritize this patch in your next security update cycle, placing it ahead of lower-impact vulnerabilities but not necessarily ahead of critical remote code execution bugs. The medium CVSS score, requirement for user interaction, and absence of public exploitation in-the-wild justify a standard rather than emergency response. However, organizations with high-value macOS users, frequent handling of sensitive data in the browser, or regulatory requirements around data protection should treat it as a higher priority. Delayed patching increases the window for targeted attacks against specific users or organizations.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects: Attack Vector = Network (no special access needed), Attack Complexity = Low (straightforward to trigger), Privileges Required = None, User Interaction = Required (must click/visit), Scope = Unchanged (affects only the Chrome process), Confidentiality = High (sensitive memory can be read), Integrity = None (no data modification), Availability = None (no crash or denial of service). The presence of user interaction requirement and confidentiality-only impact prevent this from reaching High severity, despite the network-based attack surface.

Frequently asked questions

Will this vulnerability affect my organization if I don't use Chrome on macOS?

No. The vulnerability is specific to Chrome on macOS. If you use Chrome on Windows or Linux, or use Safari, Firefox, or other browsers on macOS, you are not affected by this particular issue. However, verify your actual browser deployment across your fleet, as some organizations support multiple browsers.

Can this vulnerability be exploited without user interaction?

No. An attacker must trick a user into visiting a malicious webpage. There is no way for an attacker to exploit this remotely without the user clicking a link or visiting a site. This makes traditional phishing and social engineering the primary attack vectors.

What data can an attacker steal using this vulnerability?

An attacker can read memory from the Chrome process, which may contain cached credentials, session tokens, authentication cookies, browsing history, or data from open web applications. The exact data depends on what the user has loaded or accessed in their browser session. The attacker cannot access files on disk or data from other applications.

How quickly should we deploy this patch?

Deploy within your standard patch management cycle, typically 2–4 weeks for medium-severity issues, unless you have specific risk factors like high-value macOS users or strict data protection requirements. If you can patch faster without disrupting operations, do so. The vulnerability is not currently being actively exploited in the wild, so a week or two of delay is lower-risk than for critical vulnerabilities, but do not defer indefinitely.

This analysis is provided for informational purposes and reflects the vulnerability details and CVSS assessment as of the published date. Organizations should verify patch availability and compatibility within their own environments before deployment. SEC.co does not provide legal, compliance, or insurance-related guidance. Consult your legal and risk teams regarding regulatory obligations specific to your industry and jurisdiction. This vulnerability has not been observed in active exploitation campaigns as of the source data date; threat landscape may change. For the most current advisories and technical details, refer to Google's official Chrome security release notes and Apple's security documentation. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).