HIGH 8.8

CVE-2026-11055: Chrome ANGLE Use-After-Free Remote Code Execution on Windows

A use-after-free vulnerability in ANGLE (Google's graphics library) affects Chrome on Windows systems prior to version 149.0.7827.53. An attacker can craft a malicious webpage that, when visited, executes arbitrary code within Chrome's sandbox environment. While the Chromium team rated this as medium severity internally, the CVSS score of 8.8 reflects the practical impact: any user visiting a hostile site is at risk, no user interaction beyond clicking a link is required, and successful exploitation grants code execution.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11055 is a use-after-free flaw (CWE-416) in ANGLE, the graphics abstraction layer bundled with Chrome. Use-after-free vulnerabilities occur when freed memory is accessed again, potentially allowing an attacker to corrupt the heap or redirect execution. In this case, the flaw resides in ANGLE's rendering pipeline and can be triggered via crafted HTML and WebGL content served from a remote website. The vulnerability is exploitable in a network context without elevated privileges or special browser configuration. The sandboxed execution model provides a baseline defense, but the sandbox itself is the attack boundary—breakout techniques or subsequent privilege escalation would extend impact beyond process isolation.

Business impact

Organizations relying on Chrome for employee browsing face active compromise risk if users visit attacker-controlled or compromised websites. Financial services, media companies, and any sector where employee devices access untrusted content are exposed. Successful exploitation delivers arbitrary code execution within the Chrome process, enabling credential theft, malware installation, or lateral movement to internal systems. The requirement for user interaction (visiting a link) is a speed bump, not a barrier, given phishing and watering-hole attack prevalence. Delayed patching across a workforce materially increases intrusion surface.

Affected systems

Google Chrome on Microsoft Windows versions prior to 149.0.7827.53 are vulnerable. The fix is version-gated; Chrome on other operating systems (Linux, macOS) may have different patch versions—verify against Google's advisory. Enterprise deployments using Chrome with managed policies, as well as consumer users on unmanaged Windows systems, are in scope. Systems running Chrome 149.0.7827.53 or later are patched.

Exploitability

Exploitation requires only network access and user interaction (visiting a malicious or compromised website). No authentication, special permissions, or browser add-ins are needed. An attacker can host exploit-containing HTML on any accessible server or inject malicious scripts into legitimate sites via compromised infrastructure or supply-chain compromise. The barrier to weaponization is low; proof-of-concept code would likely circulate quickly among security researchers and threat actors. The vulnerability is currently not listed in CISA's Known Exploited Vulnerabilities catalog, but the recency of disclosure and the simplicity of triggering the flaw suggest active exploitation is a near-term risk.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's automatic update mechanism should deploy the patch within days; verify via Settings > About Chrome that the version string reflects the patched build. For enterprise environments, use Chrome Enterprise policies or Mobile Device Management (MDM) tools to enforce timely updates. Consider temporarily restricting browsing to whitelisted, trusted sites if immediate patching is infeasible. Testing should confirm no critical workflows are broken by the update before broad rollout.

Patch guidance

Patched version is Chrome 149.0.7827.53. Google typically releases patches on Tuesdays; consult the Google Chrome release notes and security advisories for the exact deployment date and any interim guidance. Enterprise administrators should test the patched version in a pilot group, then roll out via MDM or Group Policy to force installation. Users on non-enterprise systems should enable automatic updates (Chrome default) and restart the browser when prompted. Verify the update completed by opening chrome://version/ and confirming the build number is at least 149.0.7827.53 or higher.

Detection guidance

Monitor for Chrome process crashes or unexpected terminations on Windows systems, which may indicate exploitation attempts. Endpoint detection and response (EDR) tools should flag anomalous memory access patterns, heap spraying activity, or sandbox escape attempts originating from Chrome child processes. Network-level detection is limited because exploit delivery is via HTTP/HTTPS web traffic; focus on user behavior (unexpected visits to suspicious domains) and post-exploitation indicators (data exfiltration, lateral movement attempts). Check browser history and network logs for visits to known malicious sites during the window of exposure. In incident response, assume compromised Chrome processes could have spawned secondary malware or stolen cached credentials; preserve forensics and scan endpoints downstream.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high CVSS score (8.8), low exploitation barriers (network access + user click), and realistic attack scenarios. Chrome's ubiquity in enterprise and consumer environments, coupled with the simplicity of delivering the exploit (any webpage), elevates risk. The lack of KEV listing does not imply low priority; it reflects the recency of disclosure. Organizations should treat this as critical-priority patching within 48–72 hours of patch release. Business units relying on unpatched systems for essential work should coordinate with IT for accelerated testing and deployment.

Risk score, explained

CVSS 8.8 (HIGH) is driven by network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and user interaction limited to following a link (UI:R). Impact ratings are high across confidentiality, integrity, and availability (C:H/I:H/A:H) because code execution within the Chrome process can steal data, modify files in the user's context, or crash the browser. The sandboxed execution scope (S:U, unchanged scope) prevents direct system-wide impact but does not reduce the risk to the individual user or their data. The score reflects a realistic, remotely triggerable threat with significant user harm potential.

Frequently asked questions

Does Chrome's sandbox protection make this vulnerability less dangerous?

The sandbox limits the attacker's direct access to the operating system and other processes, which is a valuable control. However, the sandbox is the security boundary being attacked; a sandbox escape or post-exploitation steps could lead to full system compromise. Even without escape, code running in the sandboxed Chrome process can exfiltrate sensitive data (browsing history, saved passwords if not protected by OS keying, session tokens) and install additional malware. The sandbox is a mitigation, not a full remedy.

I'm on Chrome 149.0.7827.52. Am I vulnerable?

Yes. The patch is version 149.0.7827.53 or later. If you are on any version prior to .53, you are vulnerable. Update immediately via Settings > About Chrome to trigger the automatic update and restart.

What if I disable JavaScript or use a content blocker?

These mitigations reduce attack surface but do not eliminate risk. The vulnerability is in ANGLE's graphics rendering code, which can be triggered by WebGL or other graphics APIs enabled by default in Chrome. Disabling JavaScript or using ad blockers may prevent some exploit delivery mechanisms but are not a substitute for patching. Patching is the definitive remediation.

Is this vulnerability exploited in the wild?

As of the disclosure date (June 4, 2026), this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. However, the low barrier to exploitation (crafted HTML delivered via any website) means active exploitation is a realistic near-term risk. Organizations should assume opportunistic or targeted attacks are possible and prioritize patching accordingly.

This analysis is based on the vulnerability disclosure and official advisories current as of the publication date. Patch version numbers, CVSS scores, and affected product versions are derived from vendor releases; verify against Google's official Chrome security advisories and Microsoft's guidance for the most current information. This explainer is for educational and defensive security purposes. No exploit code or detailed attack methodology is provided. Organizations should conduct internal risk assessment and testing appropriate to their environment before applying patches. SEC.co does not provide legal or compliance advice; consult your organization's security and legal teams regarding incident response and disclosure obligations. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).