CVE-2026-11091: Critical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
A flaw in Google Chrome's graphics rendering engine (Dawn) allows attackers to trick users into visiting malicious web pages that can read sensitive data, modify files, or crash the browser. The vulnerability requires user interaction—specifically clicking a link or visiting a crafted website—but once triggered, it bypasses Chrome's memory protections. This affects Chrome versions before 149.0.7827.53 across Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125, CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11091 stems from an inappropriate implementation in the Dawn graphics abstraction layer within Chrome's rendering pipeline. The flaw permits out-of-bounds memory access when processing specially crafted HTML content, violating memory safety boundaries. The vulnerability maps to CWE-125 (out-of-bounds read) and CWE-787 (out-of-bounds write), indicating both read and write primitive potential. Attack surface is the network-accessible web rendering path; no elevated privileges or complex user actions beyond visiting a hostile page are required. While Chromium's internal severity assessment is Medium, the CVSS 3.1 vector (8.8 HIGH, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects the confluence of network deliverability, low attack complexity, and confidentiality/integrity/availability impact.
Business impact
Exploitation could result in data exfiltration from active browser sessions, credential theft, malware installation, or browser-based lateral movement into corporate networks. Organizations where employees browse untrusted content face risk of compromise without additional user warnings if the attack is sufficiently sophisticated. For SaaS providers and cloud-based applications, this represents a vector for session hijacking or application-level data theft. Patch adoption timelines directly correlate with enterprise exposure duration.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux platforms. All Chrome versions prior to 149.0.7827.53 are in scope. Users of Chromium-based browsers (Edge, Brave, Opera, etc.) that backport Chrome security patches may also be affected; verify vendor advisories for those products. The underlying graphics engine is common across modern Chromium variants.
Exploitability
Exploitability is moderate-to-high in practice. The attack requires crafting malicious HTML that triggers the memory access flaw—a non-trivial engineering effort—but delivers a high-impact outcome. No exploit code is known to be in public circulation based on KEV tracking (this CVE is not yet flagged as actively exploited in the wild). User interaction is mandatory: the victim must visit or be socially engineered to visit a hostile page. Drive-by download scenarios via compromised legitimate websites increase real-world risk. Once deployed, detection evasion is possible if the payload operates within the memory corruption window.
Remediation
Immediately update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates on restart; enterprises should enforce immediate restarts or use MDM/GPO policies to expedite rollout. Chromium-based browsers should be updated in parallel after confirming patch availability from their respective vendors. For organizations unable to patch immediately, restrict user access to untrusted websites via web filtering, disable JavaScript in non-essential contexts, or isolate high-risk users on sandboxed endpoints.
Patch guidance
1. Verify Chrome version: chrome://version/ in the browser's address bar. 2. For Windows/Mac/Linux: Allow auto-update to complete, or navigate to Settings > About Chrome to force a check. 3. Enterprise deployments: Use Google's Admin Console or your MDM solution to push version 149.0.7827.53+ across endpoints. 4. Confirm successful patching before clearing remediation tickets. 5. For Chromium forks (Edge, Brave, etc.), consult vendor release notes to confirm the equivalent patched version includes this fix.
Detection guidance
Monitor Chrome crash logs and memory violation signals (SEGFAULT, ASAN hits) correlated with web browsing activity. Endpoint detection systems should flag unexpected memory access patterns in chrome.exe/chromium processes, particularly around graphics library calls (dawn_native, d3d11, vulkan backends). Network-level detection is limited; focus on post-breach indicators such as unusual process spawning or credential usage following browsing sessions on untrusted domains. Behavioral analysis of visited sites (yara rules for obfuscated HTML) provides limited early warning. Patch compliance reporting is the most reliable detection proxy.
Why prioritize this
This CVE merits urgent patching despite KEV non-inclusion. The CVSS 8.8 score, network attack vector, low user interaction complexity (visiting a webpage), and memory safety bypass make it a preferred target for sophisticated threat actors. The absence from known-exploited lists does not indicate low risk; it reflects recent publication and pre-incident tracking delays. Combine this with Chrome's ubiquity in enterprise environments and you have a top-quartile risk for lateral movement and data theft.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) is justified by: (1) Network Attack Vector—the flaw is reachable via standard web traffic; (2) Low Attack Complexity—no special configuration is needed; (3) No Privileges Required—unprivileged user browsing triggers it; (4) User Interaction Required—moderate friction; and (5) Full CIA Impact—successful exploitation can leak, modify, or disrupt sensitive data and system stability. The delta between Chromium's Medium severity assessment and CVSS's HIGH reflects Google's risk model (limited in-the-wild exploitation) versus a formal scoring framework that weights impact heavily.
Frequently asked questions
Do I need to patch Chromium-based browsers like Edge and Brave separately?
Yes, in most cases. While they share code with Chrome, each vendor independently builds, tests, and releases patches. Check Microsoft (Edge), Brave Software, Opera, and other vendors for their patched versions. Many vendors release patches in parallel with Google; verify against their security advisories.
Will my organization's web filtering or ad-blocking extensions protect against this?
Not reliably. Standard content-blocking extensions cannot prevent memory corruption exploits that operate at the rendering layer. If the malicious page passes through your filters, the exploit can still execute. Extensions provide defense-in-depth, but patching Chrome itself is non-negotiable.
What does 'out-of-bounds memory access' mean in practical terms?
The vulnerability lets an attacker read or write memory locations that the browser should not permit. This can expose passwords, session tokens, or data from other open browser tabs; it can also corrupt the browser's internal state, leading to crashes or arbitrary code execution. In this case, the flaw is in the graphics rendering engine, so exploitation typically involves crafted image or canvas data.
If I enable Chrome's sandbox, am I protected?
Chrome's sandbox helps contain exploitation impact—a compromised renderer process is isolated from system access. However, this is not a substitute for patching. Memory corruption in the renderer can still leak sensitive data before the sandbox boundary. Update to 149.0.7827.53+ immediately; the sandbox is an additional layer, not a primary mitigation.
This analysis is based on publicly disclosed information and CVSS scoring as of the publication date. Threat landscape and exploit availability may change; monitor vendor advisories and threat intelligence feeds for updates. Organizations must validate patch compatibility and test in non-production environments before enterprise rollout. This document does not constitute legal, compliance, or forensic advice; engage qualified incident response and legal counsel if a breach is suspected. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
- CVE-2026-9975HIGHChrome ANGLE Sandbox Escape – Out-of-Bounds Memory Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk