MEDIUM 6.5

CVE-2026-11045: Chrome GPU Memory Disclosure Vulnerability

Google Chrome versions before 149.0.7827.53 contain a flaw in GPU input validation that can leak sensitive data from memory. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read protected information. This is a stepping-stone attack—it requires prior renderer compromise but can extract valuable secrets afterward.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11045 stems from insufficient validation of untrusted input passed to Chrome's GPU subsystem (CWE-20). The vulnerability permits an attacker with renderer process code execution to trigger an information disclosure condition via specially crafted HTML, reading potentially sensitive data from the same process's memory space. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the need for user interaction and prior renderer compromise, but the confidentiality impact is rated high. Chromium security assessment confirms MEDIUM severity.

Business impact

For enterprises relying on Chrome for sensitive tasks, this vulnerability creates a two-stage attack vector: first compromising the renderer (via drive-by download, phishing attachment, or supply-chain compromise), then exfiltrating confidential data via GPU memory operations. The risk is elevated in environments where Chrome processes financial data, source code, or personal identifiers. Organizations without rapid patch deployment mechanisms face extended exposure windows during which active attackers can harvest data from compromised sessions.

Affected systems

The vulnerability affects Google Chrome on Windows, macOS, and Linux. The underlying GPU handling code is shared across platforms, making all three operating systems equally vulnerable. Users running Chrome version 149.0.7827.53 and later are protected; earlier versions remain at risk. Enterprise deployments with managed browser policies should verify their deployed version numbers against this threshold.

Exploitability

Exploitation requires two conditions: (1) the renderer process must already be compromised through a separate vulnerability or attack, and (2) the user must visit a malicious page or the compromised context must be redirected to attacker-controlled content. There is no public record of this vulnerability being added to CISA's Known Exploited Vulnerabilities (KEV) catalog, but the relative simplicity of the GPU validation bypass suggests moderate technical barriers once renderer access is obtained. The attack does not require special privileges or system configuration changes.

Remediation

Update Chrome to version 149.0.7827.53 or later on all endpoints. Google Chrome includes automatic update mechanisms that typically deploy patches within 24–48 hours of release. Verify deployment via the browser's About menu (chrome://about) which displays the installed version and triggers background updates. Organizations using Chromium ESR (Extended Stable Release) should align patch timelines with ESR release schedules, which typically lag standard releases by a few weeks.

Patch guidance

Patch availability: Google released version 149.0.7827.53 to resolve this flaw. Enterprise administrators should validate patch deployment through mobile device management (MDM) tools or browser update reporting dashboards. For managed Chrome deployments, use group policies or configuration management to enforce minimum version requirements. Verify the update by accessing chrome://version on affected machines. Schedule patch validation shortly after release to ensure no rollback or compliance gaps exist. Test patched versions in non-production environments first if using custom Chrome builds or extensions.

Detection guidance

Monitor for successful Chrome renderer process compromises, as they are the prerequisite for exploiting this GPU validation flaw. Behavioral indicators include: (1) unexpected memory access patterns in Chrome GPU processes, (2) renderer crashes followed by data exfiltration attempts, (3) crafted HTML files in browser cache with GPU-intensive operations, and (4) correlation between renderer compromise alerts and subsequent outbound data transfers. Network detection should flag suspicious data transfers from browser processes to unusual destinations. Endpoint detection tools can monitor Chrome process memory for unauthorized reads; however, this requires deep visibility into GPU kernel operations.

Why prioritize this

While the CVSS score of 6.5 reflects MEDIUM severity, this vulnerability warrants prompt patching because: (1) it enables data exfiltration from process memory after renderer compromise, escalating the impact of first-stage renderer exploits; (2) Chrome's ubiquity in enterprise environments means broad exposure; (3) the patch is trivial to deploy via automatic updates; (4) there is no compensating control short of disabling GPU acceleration, which degrades browsing performance; and (5) the lack of KEV status does not indicate low risk—it reflects low current exploitation, not low risk if exploited.

Risk score, explained

CVSS 3.1 score 6.5 (MEDIUM) is appropriate and reflects: Attack Vector (Network) and Attack Complexity (Low) account for the ability to deliver malicious content via web; Privileges Required (None) and User Interaction (Required) account for the need to visit a page and the implicit renderer compromise prerequisite; Scope (Unchanged) confines impact to the Chrome process; Confidentiality Impact (High) reflects memory disclosure capability; Integrity and Availability impacts (None) acknowledge that data is only read, not modified or deleted. The score does not factor in the multi-stage attack requirement, which is why contextual risk assessment should consider it a higher priority than the score alone suggests.

Frequently asked questions

Does this vulnerability affect Chrome on Android and iOS?

The vulnerability description focuses on desktop platforms (Windows, macOS, Linux). Mobile Chrome implementations have separate GPU handling paths. Verify with Google's official security advisories or your mobile device management platform for mobile-specific patch status, as mobile releases may follow a different schedule.

Can I mitigate this without patching?

Disabling GPU acceleration (Settings > Advanced > System > Disable hardware acceleration) would prevent the GPU code path from executing, but this degrades performance for video, WebGL, and graphics-heavy sites. Patching is strongly preferred. Alternatively, restricting visits to untrusted websites reduces exposure, but is not foolproof.

If an attacker has renderer access already, what exactly can they read from memory?

The vulnerability allows reading 'potentially sensitive information from process memory.' In practice, this could include session cookies, authentication tokens, cached passwords, or data from open web pages. The scope is limited to the renderer process's own memory; it does not grant access to other processes or system memory.

Is this vulnerability being actively exploited?

CISA has not added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog as of the available information, suggesting limited or no evidence of active in-the-wild exploitation at the time of disclosure. However, lack of KEV status does not guarantee safety—it reflects current threat intelligence and can change as campaigns emerge.

This analysis is based on publicly available vulnerability data current as of the publication date. Patch version numbers, affected software versions, and CVSS scores are sourced from official vendor advisories and the NVD. No exploit code or weaponized proof-of-concept instructions are provided. Organizations should verify all remediation steps against official Google Chrome security advisories before deployment. Risk assessment should incorporate your organization's specific Chrome usage patterns, renderer compromise risk tolerance, and patch management capabilities. This document does not constitute professional security advice; consult your security team and vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).