CVE-2026-11075: Out-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
A flaw in Google Chrome's V8 JavaScript engine allows an attacker to read sensitive data from a browser process's memory by tricking a user into visiting a malicious webpage. The vulnerability exists in Chrome versions before 149.0.7827.53 and requires no special privileges to exploit—only user interaction to visit a crafted page. While the attacker cannot modify data or crash the browser, they can potentially extract confidential information like passwords, session tokens, or other data resident in memory.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11075 is an out-of-bounds read vulnerability in the V8 JavaScript engine (CWE-125) that affects Google Chrome prior to version 149.0.7827.53. The flaw permits remote code execution context to access memory beyond the intended bounds of an object or buffer, allowing information disclosure. The vulnerability is triggered through malicious HTML delivered to a user's browser and has a CVSS 3.1 score of 6.5 (Medium severity), reflecting high confidentiality impact but no integrity or availability compromise. The attack vector is network-based with low attack complexity and requires only user interaction (visiting a webpage) to succeed.
Business impact
Data exfiltration is the primary risk: attackers can extract sensitive information from browser memory without requiring user passwords or multi-factor authentication bypass. For organizations where Chrome is the primary or mandated browser, this creates a pathway for credential theft, API key exposure, or proprietary data leakage. The requirement for user interaction (visiting a malicious site) makes phishing, watering-hole attacks, or ad-injection campaigns the likely delivery vectors. The business impact depends on user awareness and browser policy controls; users who avoid suspicious links face lower risk, but determined social engineering or compromised legitimate sites present serious exposure.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability manifests on all operating systems where Chrome runs: Windows, macOS, and Linux. The CVE entry lists Linux kernel as an affected product in the taxonomy, though the vulnerability is a Chrome-specific memory safety issue rather than a kernel-level flaw; patching Chrome itself is the remediation. Organizations running older Chrome instances on any supported OS are at risk.
Exploitability
Exploitation requires network access and user interaction—specifically, convincing a user to visit or be redirected to a malicious HTML page. No authentication or elevated privileges are needed. The attack complexity is low, meaning straightforward HTML and JavaScript can trigger the out-of-bounds read. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the available data, indicating no confirmed in-the-wild exploitation at the time of disclosure; however, the low barrier to exploitation and the attractiveness of memory-disclosure attacks mean active exploitation could emerge rapidly if proof-of-concept details are published.
Remediation
Update Google Chrome to version 149.0.7827.53 or later on all affected systems. Chrome's auto-update mechanism should deploy the patch automatically on most systems, but verification is recommended in enterprise environments. For macOS and Linux deployments, ensure that browser update policies are enforced and that users are not blocked from receiving security updates. Verify successful patching by checking the browser version in Chrome settings (chrome://settings/help).
Patch guidance
Google Chrome typically rolls out security updates across stable, beta, and developer channels. Organizations should monitor Chrome's release notes or security advisories for confirmation that version 149.0.7827.53 includes this fix. If using Chrome in an enterprise environment with update policies, ensure that blocking or deferring updates does not prevent this security patch from being applied. Test the patched version in a non-production environment if your organization requires change control. Users on personal devices should allow Chrome to auto-update; if manual updates are necessary, visit chrome://settings/help to trigger an immediate check.
Detection guidance
Detection of exploitation attempts is challenging because the attack occurs entirely within a browser process and leaves minimal forensic traces without specialized instrumentation. Network-level detection: monitor for users visiting known-malicious domains or sudden DNS lookups to suspicious hosts that might host exploit pages. Endpoint detection: Chrome may log crash reports if the out-of-bounds read causes instability; review Chrome's crash reporter logs (if enabled) for unexpected memory access violations. Browser history analysis on compromised systems may reveal visits to exploit pages. Process-level monitoring tools can detect unusual V8 memory access patterns, but this requires advanced endpoint detection and response (EDR) tooling configured to track JavaScript engine behavior. User education on avoiding phishing and watering-hole sites remains a practical defense.
Why prioritize this
This vulnerability merits timely patching due to the combination of ease of exploitation and high confidentiality impact. The CVSS score of 6.5 reflects 'Medium' severity, but the practical risk depends on organizational context: high-sensitivity environments handling credentials or intellectual property should prioritize this patch within days; general-population browsers can follow standard patch cycles (within 1-2 weeks). The lack of KEV designation suggests it is not yet actively exploited at scale, providing a window to patch before opportunistic campaigns leverage proof-of-concept code.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects: (1) network attack vector—anyone on the internet can craft and host an exploit page; (2) low attack complexity—no special setup or rare conditions needed; (3) no privilege requirement; (4) user interaction required—the target must visit the malicious page; (5) high confidentiality impact—sensitive memory contents can be read; (6) no integrity or availability impact—data cannot be modified and the process typically does not crash. The score appropriately captures that this is a serious information-disclosure flaw for its users, but not a remote code execution or system-level threat. Organizations with defense-in-depth controls (Content Security Policy, browser isolation, endpoint detection) may effectively lower realized risk below the base score.
Frequently asked questions
Does this vulnerability allow arbitrary code execution or malware installation?
No. This is a memory-disclosure vulnerability, not a code-execution flaw. An attacker can read sensitive data from Chrome's memory but cannot execute arbitrary code or escape the browser sandbox to infect the underlying system. However, stolen credentials or session tokens could enable subsequent account compromise.
Will my Chrome browser automatically patch this vulnerability?
Yes, Chrome's default behavior is to check for and download security updates automatically. Your browser will typically patch within 24-48 hours of Google's release. To verify you have the latest version, open Chrome settings, go to 'About Chrome,' and check the version number. You can also manually trigger an update check there.
Are there workarounds if I cannot update Chrome immediately?
Mitigations are limited at the technical level, but you can reduce risk by: avoiding suspicious websites and phishing links, disabling JavaScript if non-critical for your workflow (though this breaks most modern sites), and using browser extensions that block known-malicious domains. For enterprise environments, network-level controls (filtering malicious sites, blocking redirects to exploit pages) provide supplementary defense. However, patching is the only complete remediation.
What is the difference between CVSS score and KEV status?
CVSS is a standardized severity rating (0-10) based on technical characteristics of the vulnerability. KEV status indicates whether the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that this vulnerability is being actively exploited in the wild. This CVE has a CVSS of 6.5 but is not yet on the KEV list, meaning it is technically moderate in severity and not confirmed as widely exploited—yet.
This analysis is based on the vulnerability disclosure and vendor advisories available as of the publication date. CVSS scores and vulnerability details may be updated by vendors or NIST. Organizations should verify patch availability and compatibility with their specific Chrome deployment before applying updates. This document is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Consult your internal security team or a qualified cybersecurity professional for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-9953MEDIUMChrome ANGLE Out-of-Bounds Memory Read Information Disclosure
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read