CVE-2026-11104: Chrome ANGLE Uninitialized Memory Disclosure (CVSS 6.5)
CVE-2026-11104 is a memory information disclosure flaw in ANGLE, a graphics abstraction library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read uninitialized memory and leak sensitive data. This is not a trivial attack—it requires the renderer to be compromised first—but once that foothold exists, the vulnerability can amplify the damage by exposing additional secrets from the browser process. Chrome versions before 149.0.7827.53 are vulnerable.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from uninitialized variable use (CWE-457) within ANGLE's graphics processing code in Chrome. When the renderer process handles a specially crafted HTML page, uninitialized memory regions may be read and returned to the attacker, bypassing memory safety guarantees. The CVSS 3.1 score of 6.5 reflects high confidentiality impact but no integrity or availability risk; exploitation requires the renderer process to already be compromised, placing this in the post-compromise information exfiltration category rather than remote code execution. The medium Chromium security severity aligns with this risk profile.
Business impact
For organizations running Chrome on employee or customer-facing systems, this vulnerability is primarily a data leakage concern in multi-staged attacks. Once an attacker gains initial renderer access through another vulnerability or social engineering, they can use CVE-2026-11104 to harvest memory contents—potentially including cryptographic keys, authentication tokens, or user data—without further user interaction beyond loading the malicious page. In environments with high-value data or compliance requirements, undetected memory disclosures can lead to regulatory violations and breach notification obligations.
Affected systems
Google Chrome prior to version 149.0.7827.53 is directly affected. The vulnerability affects Chrome on Windows, macOS, and Linux. While the CVE lists Linux kernel, Apple macOS, and Microsoft Windows as affected platforms, the flaw itself resides in Chrome's ANGLE component; patching Chrome is the primary remediation. Organizations using Chromium-based browsers (Edge, Opera, Brave, etc.) should verify whether those vendors have backported the fix or released their own patches.
Exploitability
Exploitation requires a two-stage attack chain. First, the attacker must compromise the Chrome renderer process through another means—such as a separate memory corruption bug, drive-by download, or malicious script injection. Second, they serve a crafted HTML page to trigger uninitialized memory reads. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects that the attack is network-reachable but requires user interaction (UI:R, likely page load). The vulnerability does not appear in the Known Exploited Vulnerabilities (KEV) catalog, suggesting no public evidence of active exploitation. This does not guarantee it will remain unexploited; the technical details are relatively straightforward for skilled attackers with renderer access.
Remediation
Upgrade Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches automatically, but verify in Settings > About that your version is current. No workarounds exist short of disabling JavaScript or avoiding untrusted websites, both impractical in most environments. Chromium-based browser users should check their vendor's security advisories for corresponding patches.
Patch guidance
Verify that Chrome has auto-updated to 149.0.7827.53 or later by navigating to Chrome Settings > About Chrome, which forces a check for updates. If auto-update is disabled in your organization, manually distribute and apply the update via your mobile device management (MDM) or software distribution infrastructure. Test the patch in a limited environment first to ensure no compatibility regressions with enterprise extensions or internal web applications. For devices that cannot be updated immediately, consider network controls (proxy filtering) to block malicious sites if you have active threat intelligence on exploitation.
Detection guidance
Monitor Chrome version telemetry in your endpoints to identify stragglers still running versions prior to 149.0.7827.53. Behavioral detection is challenging because the attack leaves only renderer process memory artifacts; standard EDR logs may not capture uninitialized memory reads. Focus on detecting the prerequisite renderer compromise: look for unexpected child processes spawned by Chrome, unusual memory allocation patterns, or suspicious network connections from the renderer. Pair this with web gateway logs to spot attempts to serve crafted HTML pages to your users.
Why prioritize this
While CVSS 6.5 places this in the medium-severity band, prioritization should account for two factors: (1) the prevalence of Chrome in enterprise environments makes this a wide-attack-surface issue, and (2) exploitation requires a prior compromise, making this a risk amplifier in targeted or APT scenarios. Organizations facing advanced threats or handling sensitive data should treat this as high-priority within their medium-severity queue. Less sophisticated threat actors are unlikely to chain this with another exploit unless there is clear payoff, so lower-risk environments may safely stage this as part of regular patch cycles.
Risk score, explained
CVSS 6.5 (Medium) is appropriate: uninitialized memory disclosure (CWE-457) in a high-value process (Chrome renderer) with high confidentiality impact, but no code execution or denial-of-service vector. The medium Chromium severity designation reflects Google's assessment that this requires renderer compromise as a prerequisite. The vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) correctly penalizes the user interaction requirement and awards high confidentiality risk. This is not a worm or mass-exploitation vector; it is a precision tool in a larger attack chain.
Frequently asked questions
Can this vulnerability be exploited without compromising the renderer first?
No. The vulnerability requires the renderer process to already be compromised. An attacker cannot trigger the uninitialized memory read from a standard, unprivileged webpage alone. This is a post-compromise information exfiltration risk, not a primary attack vector.
Do I need to patch if I use a Chromium-based browser like Edge or Brave instead of Chrome?
Check your browser vendor's security advisories. Microsoft Edge, Brave, and others typically derive from Chromium source and should receive analogous fixes, but release schedules and version numbering differ. Do not assume parity with Chrome's version numbers.
Is this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog?
No, CVE-2026-11104 is not listed in the KEV catalog as of the latest data. This means there is no public evidence of active exploitation, but it does not guarantee future safety. Monitor threat intelligence feeds for any escalation.
What sensitive information could leak from uninitialized memory?
Depending on what was previously stored in that memory region, attackers could potentially access encryption keys, session tokens, user data, or other secrets. The exact payload is unpredictable and depends on memory layout and timing, which is why the risk is categorized as a high-confidentiality, not guaranteed-data-theft, scenario.
This analysis is based on the CVE entry, Chromium security advisory, and CVSS vector as of the publication date (2026-06-04). Patch version numbers and vendor advisories should be verified against official vendor releases before deployment. This vulnerability requires a prior compromise of the Chrome renderer process; it is not a primary entry vector. Detection and exploitation scenarios are based on technical assessment and may evolve as threat intelligence emerges. Organizations should validate compatibility and test patches in a non-production environment before enterprise rollout. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11087MEDIUMChrome ANGLE Memory Leak Allows Cross-Origin Data Theft
- CVE-2026-11089MEDIUMGoogle Chrome Memory Disclosure in Media Handling
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11109MEDIUMANGLE Uninitialized Use Data Leak in Chrome – Patch Guidance
- CVE-2026-11110MEDIUMChrome Data Leakage via ANGLE Memory Vulnerability