CVE-2026-11051: Chrome ANGLE Out-of-Bounds Read on Linux – Patch Guide
A memory reading flaw exists in the ANGLE graphics component of Google Chrome on Linux systems prior to version 149.0.7827.53. An attacker can craft a malicious webpage that, when visited, reads data from Chrome's process memory—potentially exposing sensitive information like credentials, cryptographic keys, or other in-memory secrets. The vulnerability requires user interaction (clicking or viewing a link) but does not allow the attacker to modify data or crash the browser.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in ANGLE in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11051 is an out-of-bounds read vulnerability in ANGLE (Almost Native Graphics Layer Engine), Chrome's graphics abstraction layer, on Linux platforms. The flaw allows an unauthenticated remote attacker to trigger a memory read operation outside intended buffer boundaries via malicious HTML, violating memory safety controls. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects network exploitability with user interaction required, high confidentiality impact, and no integrity or availability compromise. The underlying cause is classified under CWE-125 (Out-of-bounds Read).
Business impact
Data confidentiality is the primary concern. Attackers exploiting this flaw gain access to sensitive data resident in Chrome's memory during a user's session—including authentication tokens, session identifiers, cached passwords, or in-flight data from web applications. While the browser itself remains functional and data integrity is not affected, successful exploitation can lead to secondary account compromise or credential theft. Organizations relying on Chrome for web-based SaaS platforms should assess whether sensitive transactions occur within the affected version range and the likelihood of users visiting untrusted or compromised websites.
Affected systems
Google Chrome versions prior to 149.0.7827.53 on Linux are vulnerable. The Linux kernel itself is listed in vendor data but the vulnerability is specific to Chrome's ANGLE implementation on Linux systems, not a kernel flaw. Windows and macOS Chrome users are not affected by this particular issue. Verify your Chrome version via chrome://version; auto-update may have already deployed the patch depending on your update cadence.
Exploitability
Exploitation is practical but not trivial. An attacker must craft a specialized HTML page and convince a user to visit it (via phishing, watering hole, compromised advertisement, or social engineering). Once loaded in a vulnerable Chrome instance, the malicious page can reliably trigger the out-of-bounds read. No user-level privileges are required on the target system, and the attack surface is broad—any website visit can be weaponized. However, this is not an in-the-wild 0-day; it was discovered and patched through Google's responsible disclosure process.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all Linux systems. Enable automatic updates to receive patches without user intervention. For environments where auto-update is disabled, schedule a manual update cycle immediately. No workarounds exist; patching is the only mitigation. Users of Chromium-based browsers (Edge, Brave, Opera) on Linux should verify their vendors' patch status, as they may inherit the same ANGLE vulnerability.
Patch guidance
Google Chrome on Linux should auto-update to version 149.0.7827.53 or higher. Administrators can force an update via Settings > About > Check for Updates, or redeploy Chrome through their endpoint management platform. For managed deployments using Chrome Enterprise or Chromium MSI packages, verify that your distribution channel delivers the patched version. Test the patch in a non-production environment first if your organization has critical Chrome-dependent workflows. No rollback is necessary; the patched version is stable and widely deployed.
Detection guidance
Monitor for Chrome version compliance across Linux endpoints using your endpoint detection and response (EDR) or asset inventory tools. Look for any instances of Chrome < 149.0.7827.53 on Linux systems. Web proxies and network monitoring can flag access to known malicious or suspicious HTML content that might exploit this flaw, though the malicious payload itself may not be easily signature-detectable without deep packet inspection. Consider correlating browser crash logs or memory sanitizer warnings from affected versions with suspect website visits as a forensic indicator. No YARA, SNORT, or IDS signatures are necessary for detection—version checking is sufficient.
Why prioritize this
Although assigned a MEDIUM severity score, this vulnerability warrants prompt patching because: (1) it enables silent data theft without user awareness or browser instability, (2) exploitation requires only a malicious webpage and user navigation (low friction), and (3) confidentiality of sensitive in-memory data is high-stakes in modern web applications. Organizations handling customer data, credentials, or financial information via web apps should prioritize this patch. The absence of KEV listing does not indicate low real-world risk; it reflects that the vulnerability was not widely exploited before the patch became available.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects: Network-accessible attack vector with low complexity, no privileges required, user interaction mandatory (visiting a webpage), single security context, high confidentiality impact, and zero integrity or availability impact. The score appropriately captures the confidentiality risk while acknowledging that availability and system-level compromise are not possible. Organizations with high-sensitivity data or high-traffic user bases may perceive additional risk beyond the base score.
Frequently asked questions
Can this vulnerability compromise my entire system, or just Chrome?
Only Chrome's process memory is at risk. An attacker cannot escalate privileges, modify the operating system, or access files outside the Chrome sandbox. However, any sensitive data in Chrome's memory (credentials, session tokens, cryptographic keys) may be disclosed.
Do I need to patch Chrome on Windows and macOS?
This specific CVE affects Linux only. Windows and macOS users should still maintain up-to-date Chrome for other security fixes, but CVE-2026-11051 does not apply to those platforms.
How do I know if I'm vulnerable?
Check your Chrome version at chrome://version. If you see a version lower than 149.0.7827.53 and you're using Linux, you are vulnerable. If automatic updates are enabled, you should already be patched unless you have not restarted your browser recently.
Could this be used in a targeted attack?
Yes. An attacker could craft a phishing email with a malicious link or compromise a website visited by a target to trigger exploitation. The attack leaves minimal forensic evidence if the attacker retrieves only memory data without crashing the browser.
This analysis is based on published CVE data and Google's security advisory as of the date indicated. No exploit code or proof-of-concept is provided. Organizations should verify patch availability through their vendor's official channels and test in non-production environments before widespread deployment. This document does not constitute legal advice or substitute for formal security assessments by qualified professionals. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for your specific infrastructure. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-9953MEDIUMChrome ANGLE Out-of-Bounds Memory Read Information Disclosure
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53