CVE-2026-11123: ANGLE Uninitialized Memory Leak in Chrome 149—Memory Disclosure Risk
A flaw in ANGLE (the graphics abstraction layer used by Google Chrome) allows attackers to trick users into visiting a malicious website that reads sensitive information directly from Chrome's memory. The vulnerability was patched in Chrome version 149.0.7827.53. Because it requires user interaction (clicking a link or visiting a page), it's less critical than remotely exploitable flaws, but the memory disclosure risk—potentially exposing authentication tokens, cached data, or other secrets—warrants prompt patching.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11123 is an uninitialized variable vulnerability (CWE-457) in ANGLE, Chrome's OpenGL/Direct3D abstraction layer. An attacker crafts an HTML page containing malicious WebGL or canvas rendering code that exploits uninitialized memory in the graphics pipeline. When a user visits the page, the uninitialized memory becomes readable to the attacker's JavaScript, leaking process memory contents. The vulnerability affects Chrome on Windows, macOS, and Linux. Chrome developers classified it as Medium severity due to the user-interaction requirement and the confined nature of memory disclosure within the renderer process.
Business impact
For organizations allowing employees to browse the internet with Chrome, this vulnerability poses a data exfiltration risk. An attacker could harvest sensitive data (session tokens, credentials, API keys in memory) if users visit a compromised or attacker-controlled site. Lateral movement or lateral privilege escalation becomes possible if the leaked data includes authentication credentials. Regulatory exposure exists if memory contents contain regulated data (PII, health records, financial info). However, the attack requires active user participation and browser use, not server-side exploitation.
Affected systems
Google Chrome installations prior to version 149.0.7827.53 are directly vulnerable. The vulnerability also affects Chrome running on Apple macOS, Microsoft Windows, and Linux systems. Organizations using Chromium-based browsers (Edge, Brave, Opera) should verify whether those vendors have backported the fix and when; this advisory specifically confirms the impact on Chrome. Chrome OS is affected if it includes vulnerable Chrome versions.
Exploitability
The attack requires network access and user interaction: a victim must navigate to an attacker-controlled or compromised web page. No special browser settings or extensions are needed; standard web rendering is sufficient. Exploit complexity is low—the attacker simply embeds malicious graphics code in a webpage. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects this: network-accessible, low complexity, no privileges needed, but requires user interaction (UI:R). The flaw is not currently listed in CISA's Known Exploited Vulnerabilities catalog, but the relative simplicity of crafting a proof-of-concept and the attractiveness of memory disclosure make it a likely target for exploitation.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically delivers patches within days; verify the update by opening chrome://version and confirming the version number matches or exceeds the patched release. For managed deployments, use Group Policy (Windows) or mobile device management (MDM) policies to enforce the update. Block older versions if your environment permits. No workarounds mitigate the flaw; patching is the only remedy.
Patch guidance
Deploy Chrome 149.0.7827.53 or later. Verify patch deployment across your environment using Chrome's built-in update mechanism or your device management platform. If users have disabled auto-update, manually trigger updates or enforce update policies via GPO/MDM. Test the patch in a lab environment if your organization requires change control verification. Confirm the patched version by navigating to chrome://version on each device.
Detection guidance
Monitor for Chrome versions older than 149.0.7827.53 using endpoint detection tools (EDR, MDM) or vulnerability scanning. Network-level detection is difficult because the attack occurs within encrypted browser traffic (HTTPS). Behavioral detection could focus on unusual memory-access patterns in Chrome renderer processes, but this requires deep kernel-level visibility. Log successful Chrome auto-updates to confirm patch rollout. If user devices report crashes or graphics rendering errors post-update, investigate compatibility with enterprise graphics drivers.
Why prioritize this
While the CVSS score is 6.5 (Medium), memory disclosure vulnerabilities merit prompt attention in security queues. The attack surface is large (any user browsing the web with Chrome), the attacker motivation is high (credential/token theft), and patching is straightforward. Organizations with strict data-leakage controls should prioritize this within 2–4 weeks. However, it is lower priority than active remote code execution or privilege escalation flaws affecting the same software.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects: Network accessibility (AV:N) and low attack complexity (AC:L), yielding a baseline of 7.3; the requirement for user interaction (UI:R) reduces it to 6.5. There is no integrity or availability impact (I:N/A:N), only confidentiality impact (C:H), because the attacker can only read memory, not modify it or crash the browser. The attack is confined to the user's process (S:U, same scope), so it does not escape the renderer sandbox or elevate privileges directly. The score appropriately weights the serious but bounded threat of memory disclosure.
Frequently asked questions
Can an attacker exploit this without the user clicking anything?
No. The vulnerability requires user interaction—the victim must navigate to or load a page containing the malicious code. Passive network sniffing or DNS hijacking is insufficient; the user's browser must render the crafted HTML.
What data could be stolen from Chrome's memory?
The attacker gains access to uninitialized memory in the graphics pipeline, which may contain fragments of previously allocated objects: session cookies, authentication tokens, temporary cached data, or other process memory. The exact content depends on memory layout and prior process activity, but the attacker cannot selectively target specific data.
Does this affect Chromium-based browsers like Edge or Brave?
This CVE specifically impacts Google Chrome. Chromium-based browsers (Edge, Brave, Opera) use the same Chromium source code, so they are likely affected by the same flaw. Check the respective vendor advisories to confirm patch status and versions for those browsers.
Is there a way to block this attack at the network level?
Not reliably. The attack payload is embedded in encrypted HTTPS traffic and renders within the user's browser. Network-level defenses cannot inspect or filter the malicious HTML. Endpoint patching is the only effective mitigation.
This analysis is based on publicly available information and the CVE record as of the publication date. Vendor advisories, patch availability, and exploit status may evolve; always verify current remediation guidance with Google's official Chrome security advisories and your organization's vulnerability management processes. SEC.co does not provide proof-of-concept code or exploitation instructions. Consult your security team or vendor support for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11087MEDIUMChrome ANGLE Memory Leak Allows Cross-Origin Data Theft
- CVE-2026-11089MEDIUMGoogle Chrome Memory Disclosure in Media Handling
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11104MEDIUMChrome ANGLE Uninitialized Memory Disclosure (CVSS 6.5)
- CVE-2026-11109MEDIUMANGLE Uninitialized Use Data Leak in Chrome – Patch Guidance