MEDIUM 6.5

CVE-2026-11110: Chrome Data Leakage via ANGLE Memory Vulnerability

A flaw in Google Chrome's graphics rendering engine (ANGLE) can leak sensitive data from websites you visit to attackers. The vulnerability exists in Chrome versions before 149.0.7827.53 and requires a user to click on or interact with a malicious webpage. When exploited, it exposes confidential information that should remain isolated between different websites.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11110 is an uninitialized memory use vulnerability (CWE-457) in the ANGLE graphics abstraction layer within Chromium-based browsers. The flaw allows improper memory initialization, which can be leveraged by an attacker to read cross-origin data that would normally be protected by browser security boundaries. The vulnerability has a CVSS v3.1 score of 6.5 (Medium), with an attack vector of network-accessible, low complexity, no privileges required, and user interaction needed. The confidentiality impact is high, while integrity and availability are not affected.

Business impact

This vulnerability poses a data confidentiality risk for organizations whose employees use affected Chrome versions. Attackers could potentially extract sensitive information from authenticated sessions, including credentials, personal data, or proprietary information viewed across multiple websites in the same browser instance. The requirement for user interaction—visiting a crafted malicious page—means social engineering or targeted campaigns would be necessary. Organizations relying on Chrome for secure web access should prioritize patching to limit the window of exposure.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected on Windows, macOS, and Linux platforms. While the CVE references Apple macOS, Linux kernel, and Microsoft Windows as affected operating systems, the root cause is the Chromium browser engine; patch status varies by platform and distribution. Users of Chromium-based browsers (Edge, Opera, Brave, etc.) should verify patch availability with their respective vendors, as they may ship affected versions independently.

Exploitability

Exploitation requires network access and user interaction—specifically, a user must visit a crafted HTML page controlled by the attacker. There is no evidence of active exploitation in the wild (the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog). The attack does not require special privileges, but the attacker cannot force a user to visit a malicious page; phishing, social engineering, or compromised advertising networks would be necessary vectors.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. For organizational deployments, verify that Chrome auto-update is enabled or use centralized patch management to roll out the update. Users on Linux should check their distribution's package repositories for patched versions. Chromium-based browser users should confirm patch availability from their respective vendors before assuming protection.

Patch guidance

Google Chrome will auto-update to version 149.0.7827.53 or later if auto-update is enabled. Verify the installed version by navigating to Chrome menu > Help > About Google Chrome; the browser will check for updates automatically. For enterprise deployments, administrators can enforce updates via group policy (Windows) or configuration management tools. On macOS and Linux, ensure package managers or vendor-provided update mechanisms are current. Test patches in a non-production environment if possible before broad rollout.

Detection guidance

Monitor for Chrome versions below 149.0.7827.53 in your environment using endpoint management tools or browser telemetry. Watch for suspicious HTML rendering behavior or memory access patterns in browser logs (if logging is enabled). Network detection is difficult, as the attack is memory-based and invisible on the wire. Behavioral indicators include sudden data exfiltration from authenticated sessions or unusual cross-site data access. Consider deploying browser isolation technology for high-risk users to contain potential exploitation.

Why prioritize this

This vulnerability merits prompt but not emergency patching. The CVSS score of 6.5 (Medium) reflects high confidentiality impact but the requirement for user interaction to trigger exploitation. Unlike zero-days or critical remote code execution flaws, this requires social engineering and affects data confidentiality, not system availability or integrity. However, the ease of patch deployment for Chrome (auto-update) and the sensitivity of data at risk justify prioritizing it within your Medium-severity queue.

Risk score, explained

The CVSS v3.1 score of 6.5 reflects: (1) Network-accessible attack vector—exploitable remotely over the internet; (2) Low attack complexity—no special conditions needed beyond a crafted webpage; (3) No privileges required; (4) User interaction required—a user must visit the malicious page; (5) Confidentiality impact rated High—sensitive data can be leaked; (6) No integrity or availability impact. The Medium severity rating from Chromium aligns with this score, acknowledging real data leakage potential balanced against the user-interaction requirement.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2026-11110 is a data leakage vulnerability, not code execution. It allows an attacker to read cross-origin data from memory, but not to execute arbitrary code or take control of the system.

Am I vulnerable if I have auto-update enabled?

Auto-update reduces your window of vulnerability significantly. However, you remain at risk until the update is downloaded and installed, which may take hours or days depending on your update schedule and configuration. Check your current version to verify patching.

Can this be exploited without user interaction?

No. The attacker must trick or convince a user to visit a malicious webpage. The vulnerability cannot be triggered remotely without the user clicking a link or loading crafted HTML content in their browser.

Are Chromium forks like Edge, Opera, or Brave affected?

Possibly, depending on when each vendor's derivative version incorporated the vulnerable ANGLE code. Verify patch availability for your specific browser and update accordingly. Do not assume that updating Chrome protects other Chromium-based browsers you may use.

This analysis is based on publicly available information as of June 2026. CVSS scores, affected product versions, and patch status are subject to change as vendors release updates or issue errata. Verify all patch versions against official vendor advisories before deployment. This guidance is informational and does not constitute legal, compliance, or specific security advice for your organization. Test patches in controlled environments before production rollout. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).