CVE-2026-11090: Chrome ANGLE Memory Leak Enables Cross-Origin Data Theft
Google Chrome versions before 149.0.7827.53 contain a flaw in the ANGLE graphics library that can be exploited to leak data across website boundaries. An attacker could craft a malicious webpage that, when visited, causes Chrome to inadvertently expose sensitive information from other origins a user has open. This requires user interaction (visiting the malicious page) but does not require special privileges. The vulnerability affects Windows, macOS, and Linux systems running vulnerable Chrome versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125, CWE-457, CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11090 is an uninitialized memory use vulnerability in ANGLE (a graphics abstraction layer used by Chrome) that enables cross-origin data disclosure. The vulnerability stems from improper handling of uninitialized variables or buffer regions during graphics processing, allowing an attacker to read sensitive data from memory that should be isolated by the same-origin policy. The flaw is classified under CWE-125 (out-of-bounds read), CWE-457 (uninitialized variable), and CWE-787 (out-of-bounds write), indicating multiple potential memory safety issues in the graphics pipeline. Attack surface is the renderer process when handling crafted HTML containing specially constructed graphics commands.
Business impact
A successful exploitation allows attackers to exfiltrate sensitive user data—such as authentication tokens, form data, or private content from other open tabs—without user awareness beyond visiting a malicious site. For organizations where employees browse the web during work, this creates a direct channel for credential theft and lateral movement intelligence gathering. The requirement for user interaction limits mass exploitation but does not eliminate the risk in targeted campaigns. Data loss and compliance violations (GDPR, HIPAA, PCI-DSS depending on data exposed) are potential consequences.
Affected systems
All platforms running Google Chrome prior to version 149.0.7827.53 are affected, including Windows, macOS, and Linux. Apple macOS and Microsoft Windows users are likely the largest populations at risk. Linux systems, including those running the Linux kernel directly alongside Chrome, are also vulnerable. Any organization using Chrome as the primary or approved browser faces exposure across its user base.
Exploitability
Exploitability is moderate. The attack requires a user to visit or be redirected to an attacker-controlled webpage, making it suitable for targeted phishing, watering-hole attacks, or compromise of legitimate sites. No special user privileges or complex interaction patterns are needed beyond a single visit. The medium CVSS score (6.5) reflects the requirement for user interaction (UI:R) balanced against network accessibility and the confidentiality impact. Public exploit code is not known to exist in the wild, but the conceptual simplicity of graphics-based memory leaks suggests reproduction may be straightforward for skilled researchers.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will roll out the patch, but verification is recommended in high-security environments. Organizations using managed Chrome deployments (via Chromebook or enterprise admin controls) should ensure update policies are configured to deploy the patch promptly. No workarounds exist; patching is the only mitigation.
Patch guidance
Deploy Chrome version 149.0.7827.53 or later across all endpoints. For Windows, macOS, and Linux deployments, verify update completion by navigating to chrome://version/ and confirming the version number. In enterprise environments using Google Admin Console, confirm auto-update policies are enabled or manually push the version via deployment tools. Test the patch on a representative sample before full rollout to ensure no regression in compatibility with critical internal or business-critical web applications.
Detection guidance
Monitor for successful Chrome updates via endpoint management tools or audit logs. Behavioral detection is challenging because the exploit leaves minimal forensic artifacts—data exfiltration occurs within the Chrome process memory space without obvious file system activity. Consider browser telemetry if available through enterprise Chrome policies. For incident response, examine Chrome history and open tabs at time of suspected exploitation to identify potentially malicious visited URLs. Memory dumps or crash logs may contain evidence of uninitialized reads, though post-mortem analysis is difficult.
Why prioritize this
This vulnerability merits prompt patching because it enables silent, targeted data exfiltration against web-using employees without triggering obvious user-facing warnings. The medium severity, combined with the widespread use of Chrome in enterprise environments and the low barrier to user exploitation (simply visiting a site), justifies rapid deployment. Organizations handling sensitive data should prioritize this above lower-impact issues. The absence of KEV listing does not reduce urgency; active exploitation may simply not yet be documented.
Risk score, explained
CVSS 6.5 (Medium) reflects a network-accessible, low-complexity attack that requires user interaction but results in high confidentiality impact and no integrity or availability impact. The score appropriately weights the ease of triggering the vulnerability against the serious consequence (cross-origin data leak) and the practical barrier of user click-through. In environments where employees handle regulated data or authentication secrets, the business risk exceeds the base CVSS due to downstream compromise potential.
Frequently asked questions
Can this vulnerability allow an attacker to steal my passwords or authentication tokens?
Yes. If a user visits a malicious site while authenticated to another service (e.g., email, banking), the vulnerability may leak authentication cookies, tokens, or session data from the other origin due to memory disclosure. This is why patch urgency is high for organizations handling sensitive credentials.
Does Chrome's auto-update mechanism protect me automatically?
Chrome auto-update will eventually deploy version 149.0.7827.53 to most users, but delays depend on user login frequency and device uptime. In enterprise settings, admins should not rely solely on automatic updates—configure managed update policies to enforce deployment within a specific timeframe (e.g., 7 days).
Is there a way to disable graphics or limit exposure until I patch?
No practical workaround exists. Disabling hardware graphics acceleration may marginally reduce attack surface, but ANGLE is core to Chrome's rendering pipeline. Patching is the only reliable mitigation. Users can reduce risk by closing sensitive tabs before visiting untrusted sites, but this is not a complete solution.
Why is this vulnerability not on the CISA KEV list yet?
The KEV catalog prioritizes vulnerabilities with evidence of active exploitation in the wild. Lack of KEV listing does not indicate low severity—it reflects absence of documented weaponization. This vulnerability should still be treated as high priority for patching.
This analysis is based on publicly available vulnerability data as of the publication date. Patch versions, timelines, and affected product details should be verified against official vendor advisories (Google Chrome Security Release, Microsoft, and Apple security bulletins) before deployment. SEC.co makes no warranty regarding exploit prevalence, detection accuracy, or the completeness of remediation guidance. Organizations should conduct internal testing and threat modeling to determine risk tolerance and patch scheduling. No exploit code or proof-of-concept instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
- CVE-2026-9975HIGHChrome ANGLE Sandbox Escape – Out-of-Bounds Memory Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability