CVE-2026-11087: Chrome ANGLE Memory Leak Allows Cross-Origin Data Theft
A memory safety issue in Google Chrome's ANGLE graphics library allows an attacker who has already compromised the renderer process to steal sensitive data from other websites. The vulnerability requires user interaction (visiting a malicious web page) and affects Chrome on Windows, macOS, and Linux. The attacker gains read-only access to cross-origin data, meaning they cannot modify it or crash the browser, but confidentiality is at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11087 is an uninitialized variable vulnerability (CWE-457) in the ANGLE (Almost Native Graphics Layer Engine) graphics abstraction library used by Chrome. When a renderer process has been compromised, a specially crafted HTML page can trigger the uninitialized use condition, leaking memory contents that may include data from other origins. The vulnerability requires the user to visit a malicious page, but once the renderer process is already in a compromised state, the attacker can exfiltrate cross-origin information without additional privilege escalation. The issue was resolved in Chrome 149.0.7827.53 and later versions.
Business impact
This vulnerability primarily affects confidentiality. If a threat actor has already gained access to a Chrome renderer process through another means (such as a prior exploit or social engineering), they can amplify the damage by harvesting sensitive user data from other websites the user visits. For organizations where employees browse sensitive web applications, this creates a secondary risk window during the period between renderer compromise and patch deployment. The Medium CVSS score reflects the limited immediate exposure, but the cross-origin data leakage amplifies risk in multi-tab browsing scenarios.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. The vulnerability affects Chrome on all major platforms: Windows, macOS, and Linux. Any user running an unpatched Chrome version is at risk if their renderer process becomes compromised through an unrelated attack vector. Organizations standardizing on Chrome across operating systems should prioritize patching across all deployment types.
Exploitability
Exploitation requires two conditions: (1) the renderer process must already be compromised by another vulnerability or attack method, and (2) the user must visit a malicious webpage while the compromised state exists. This is not a zero-click vulnerability and does not grant initial code execution on its own. The attack chain is situational and depends on prior compromise. The lack of KEV status indicates CISA has not documented evidence of active exploitation in the wild as of the intelligence cutoff date. However, the relatively low barrier to trigger uninitialized memory reads once renderer access is obtained means that sophisticated threat actors combining multiple exploits could weaponize this.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism will deploy patches, but verify that no instances remain on earlier versions, particularly in corporate environments with update management policies. For macOS and Linux users, check system update channels. No workarounds exist; patching is the only mitigation. Test patch deployment in non-critical environments first to confirm compatibility with dependent applications.
Patch guidance
Verify Chrome's version via chrome://settings/help or the menu (Chrome menu > About Google Chrome). Chrome will automatically check for and download updates; allow the browser to restart to apply the patch. In enterprise environments, use Chrome's managed policies to enforce the minimum version requirement (149.0.7827.53+) and configure automatic updates if not already enabled. For Linux distributions, ensure the system package manager or official Chrome repository provides Chrome 149.0.7827.53 or later. Test the patched version with internal web applications before mandatory deployment to confirm no regressions occur.
Detection guidance
Monitor Chrome version numbers across your environment using endpoint detection tools or browser telemetry APIs. Identify any instances reporting version numbers below 149.0.7827.53 as non-compliant. On the application side, security teams may observe signs of cross-origin data exfiltration through network monitoring, though the leaked data would exit via normal browser channels, making detection challenging without deep packet inspection. Focus detection efforts on identifying and containing the initial renderer compromise vector (e.g., prior CVE exploitation, malicious extensions, or social engineering) rather than the secondary data leak itself.
Why prioritize this
Prioritize this vulnerability for patching but not as an emergency if your organization has no evidence of prior renderer process compromises. The Medium severity reflects the dependency on prior compromise and user interaction. However, if your threat model includes sophisticated attackers or if you've observed prior exploitation activity targeting Chrome, move this to high priority. Organizations handling highly sensitive user data (healthcare, financial, legal) should patch sooner to reduce the window of opportunity for chained attacks.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects: Network vector (low barrier to deliver the malicious page), Low complexity (no specific configuration needed), No privileges required (users can access Chrome normally), User interaction required (user must visit the malicious page), and High confidentiality impact (cross-origin data leakage) balanced against no integrity or availability impact. The score appropriately weights the indirect nature of the threat (requires prior renderer compromise not quantified in CVSS itself). For your organization, adjust the risk rating based on your threat model: increase priority if you've observed renderer-targeting exploits, decrease if you maintain strong process isolation and restrict user browsing.
Frequently asked questions
Do I need to be running an older Chrome version to be at risk?
Yes. Only Chrome versions prior to 149.0.7827.53 are affected. Verify your version in chrome://settings/help; Chrome will auto-update, but confirm the update has been applied and the browser restarted.
Can this vulnerability be exploited without prior compromise of the renderer process?
No. This vulnerability requires the renderer process to already be compromised by another attack. It amplifies the damage of a prior breach but does not enable initial code execution. Addressing this vulnerability is part of defense-in-depth after patching other browser vulnerabilities.
What if I'm using Chrome on a managed device in a corporate environment?
Contact your IT security team to confirm Chrome auto-update is enabled and the deployment target version meets 149.0.7827.53 or later. In some organizations, updates are managed centrally; verify through your MDM or patch management system.
Is there a workaround if I cannot patch immediately?
No reliable workaround exists. Avoid visiting untrusted websites and restrict renderer process exposure if you suspect prior compromise. Patching is the only effective mitigation. If immediate patching is infeasible, consider using alternative browsers temporarily or restricting sensitive browsing activities until Chrome is updated.
This analysis is based on CVE-2026-11087 data as of June 2026. Threat landscape and patch availability may evolve. Verify patch version numbers and availability against official Google Chrome security releases and vendor advisories. This vulnerability does not appear on CISA's KEV catalog as of publication. Organizations should conduct their own risk assessment aligned with their threat model, data sensitivity, and operational constraints. No exploit code or proof-of-concept details are provided; this is for defensive planning only. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11089MEDIUMGoogle Chrome Memory Disclosure in Media Handling
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11104MEDIUMChrome ANGLE Uninitialized Memory Disclosure (CVSS 6.5)
- CVE-2026-11109MEDIUMANGLE Uninitialized Use Data Leak in Chrome – Patch Guidance
- CVE-2026-11110MEDIUMChrome Data Leakage via ANGLE Memory Vulnerability