MEDIUM 6.5

CVE-2026-11067: Chrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53

Google Chrome versions prior to 149.0.7827.53 contain a memory safety vulnerability in the Dawn graphics component that allows attackers to steal sensitive data from browser process memory. An attacker crafts a malicious webpage that, when visited, exploits the uninitialized memory access to leak information that could include cached passwords, session tokens, or other private data. The attack requires user interaction (visiting the page) but works across networks without special privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11067 is an uninitialized memory use vulnerability (CWE-457) residing in Chrome's Dawn graphics abstraction layer. When processing crafted HTML and associated GPU-bound rendering operations, certain memory buffers in the renderer process are not properly initialized before use, allowing their residual contents to be exposed to JavaScript running on the page. The vulnerability exists in Chrome versions before 149.0.7827.53 and affects all major operating systems (Windows, macOS, Linux) where Chrome runs. The Chromium project classified this as Medium severity due to confidentiality impact in the absence of integrity or availability compromise.

Business impact

Organizations with users running unpatched Chrome browsers face data exfiltration risk. Attackers can harvest sensitive in-memory artifacts without triggering typical intrusion detection signatures. Compliance frameworks (HIPAA, PCI-DSS, GDPR) may require breach disclosure if personal data is leaked through this vector. The ease of exploitation via a simple webpage makes this particularly concerning for enterprises with strict browsing policies, as targeted campaigns against employee or customer-facing web applications could succeed with minimal adversary sophistication.

Affected systems

Google Chrome prior to version 149.0.7827.53 is directly affected. This covers Chrome on Windows, macOS, and Linux. Any organization or individual running Chrome below this version is at risk. Secondary impact may extend to Chromium-based browsers (Edge, Brave, Opera) if they have not incorporated the patch; verify vendor advisories for those products.

Exploitability

Exploitation is straightforward and requires only a user clicking a malicious link or visiting an attacker-controlled website. No authentication, admin privileges, or prior system compromise is needed. The attacker surface is broad: phishing campaigns, malvertising, or compromised legitimate websites can all deliver the exploit. However, the vulnerability does not grant code execution, only information disclosure, which limits immediate post-exploitation leverage. Exploit development is feasible for a competent attacker once the vulnerability is understood.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default on most systems, but users should verify their version (chrome://version) and trigger manual update if needed. For enterprise deployments, use group policy (Windows) or mobile device management to enforce the update. Interim mitigations include disabling JavaScript or blocking untrusted websites, though these are impractical for most users and not a substitute for patching.

Patch guidance

Google released the fix in Chrome 149.0.7827.53. On Windows and macOS, update via Settings > About Chrome, which triggers automatic download and installation after a browser restart. Linux users should update through their distribution's package manager (apt, yum, etc.) or download from google.com/chrome. Enterprise administrators should prioritize deployment within their standard update cycle, treating this as a high-priority patch due to the memory disclosure risk. Verify patch installation by confirming the version number in chrome://version matches 149.0.7827.53 or later.

Detection guidance

Monitor for unusual browser crashes or GPU rendering errors post-patch, as these may indicate failed exploitation attempts. On the network level, inspect for suspicious HTML payloads delivered to internal users (use web content filtering and proxy inspection). Endpoint detection and response (EDR) platforms should flag anomalous memory access patterns within Chrome renderer processes, though this is difficult to detect reliably without specialized GPU-aware tooling. Most effective detection occurs at the preventive stage: alert on outdated Chrome versions in device inventory scans and enforce auto-update policies.

Why prioritize this

Although rated CVSS 6.5 (Medium), this vulnerability warrants above-average priority due to ease of exploitation, broad reach (affects billions of Chrome users), and non-zero risk of sensitive data disclosure in memory. Organizations handling personal data, financial information, or login credentials should patch promptly. The lack of KEV status does not diminish urgency; not all exploited vulnerabilities reach the CISA list, and attackers often weaponize disclosed memory flaws quickly.

Risk score, explained

The CVSS 6.5 score reflects a network-accessible, low-complexity attack vector with no privilege requirements, but mitigated by the requirement for user interaction and absence of impact on system integrity or availability. Confidentiality is rated high (C:H) because process memory can contain sensitive transient data. The score appropriately balances the severity of data disclosure against the limited scope of impact (single process, no escalation). Organizations with high data sensitivity or extensive user-facing web presence should apply additional context and potentially treat this as a higher priority.

Frequently asked questions

Can attackers execute code through this vulnerability?

No. CVE-2026-11067 is purely an information disclosure flaw. It exposes uninitialized memory contents but does not grant the attacker the ability to run code or modify files. However, leaked information (like session tokens or cached credentials) could be used to further compromise accounts or systems.

Does Chrome's auto-update mechanism protect us automatically?

Yes, for most users. Chrome checks for updates on startup and in the background, applying them on the next browser restart. However, users who disable auto-updates or force-close Chrome immediately after patching might remain vulnerable. In enterprise settings with managed devices, verify that auto-update policies are enabled and confirm patch deployment via device inventory tools.

What happens if a user visits a malicious website before updating?

If a user visited a crafted page targeting this vulnerability, their browser's renderer process memory was potentially read by the attacker's JavaScript. You should consider resetting saved passwords, reviewing account activity for unauthorized access, and monitoring for phishing or secondary compromise. If the browser was running while accessing banking or e-mail, treat affected accounts as compromised and reset credentials from a secure device.

Why is this vulnerability in Dawn, and what is Dawn?

Dawn is Chromium's cross-platform graphics abstraction layer that manages GPU-bound rendering tasks. It sits between web content and the underlying graphics APIs (Vulkan, Metal, DirectX). Bugs in Dawn are particularly sensitive because all modern web rendering on Chrome depends on it, making any memory safety flaw in this component a browser-wide concern.

This analysis is based on the official CVE record and vendor advisories current as of the publication date. Patch version numbers and affected system details should be verified against official Google Chrome release notes and NIST NVD. The information provided is for security planning purposes and does not constitute legal or compliance advice. Organizations must apply patches according to their own risk assessment and change management procedures. No exploit code or weaponized proof-of-concept is provided herein. Always test patches in a non-production environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).