CVE-2026-11138: Chrome ANGLE Memory Leak Exposes Cross-Origin Data
A memory initialization flaw in Google Chrome's ANGLE graphics component allows attackers to expose sensitive data across different websites when users visit a malicious webpage. An attacker would need to craft a specially designed HTML page and trick a user into viewing it; the vulnerability itself requires no special browser configuration and affects all major operating systems where Chrome runs.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11138 is an uninitialized use vulnerability (CWE-457) in ANGLE, Chrome's abstraction layer for graphics APIs. Insufficient initialization of memory structures in ANGLE can be triggered by a crafted HTML page, potentially allowing an attacker to read uninitialized memory. This uninitialized memory may contain sensitive data from other security origins, bypassing the same-origin policy. The vulnerability carries a CVSS 3.1 score of 6.5 (Medium) with a network-based attack vector requiring user interaction but no special privileges.
Business impact
This vulnerability creates a confidentiality risk for users of affected Chrome versions. Corporate environments where employees browse the web face exposure of sensitive information that may be resident in browser memory—including credentials, session tokens, or proprietary data from previously visited sites. The attack requires social engineering or compromised web properties to deliver the malicious HTML, making it practical for targeted threat actors. Organizations cannot rely on network isolation alone, as the attack initiates from a website users visit directly.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable. The issue affects Chrome across all supported operating systems: Windows, macOS, and Linux. While the CVE references these operating systems and the Linux kernel, the practical impact centers on Chrome installations; administrators should verify Chrome version across their fleet regardless of OS platform.
Exploitability
The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no publicly known active exploitation at this time. However, the attack complexity is low and requires only user interaction—a user must visit an attacker-controlled or compromised webpage. This relatively low barrier means exploitation could become practical if security researchers or threat actors develop proof-of-concept code or if malicious actors gain control of high-traffic websites. The medium CVSS score reflects the confidentiality impact balanced against the requirement for user interaction.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately across all endpoints. Chrome's auto-update mechanism typically handles this automatically, but organizations should verify completion, especially in environments with delayed or controlled updates. No workarounds mitigate the underlying flaw; patching is the only reliable remediation. Verify the installed version via chrome://version/ or through enterprise management tools.
Patch guidance
Deploy Chrome 149.0.7827.53 or any subsequent release. Organizations using Chrome Enterprise or managed Chrome deployments should confirm the patch has been applied via their management console. For unmanaged or personal devices, users should enable automatic updates and verify their current version. There are no interim patches or partial mitigations; full version updates are required.
Detection guidance
Monitor Chrome version compliance across your environment using endpoint management, SIEM, or asset inventory tools to ensure 149.0.7827.53 or later is deployed. Browser telemetry or MDM solutions can track version status across Windows, macOS, and Linux systems. Behavioral detection of memory-based data exfiltration is difficult at the host level, so prevention through patching is more practical than post-compromise detection. Network-level detection of malicious HTML is challenging without content inspection; focus remediation efforts on rapid patching and user awareness.
Why prioritize this
Although marked Medium severity, this vulnerability should be prioritized for rapid patching due to its low attack complexity, wide affected user base, and confidentiality impact. Chrome's auto-update mechanism reduces deployment friction, making timely patching achievable. Threat actors actively targeting confidential corporate data may craft campaigns exploiting this flaw before patches are universally applied. The lack of KEV status does not indicate low risk; it reflects current absence of known public exploitation—a temporary condition.
Risk score, explained
The CVSS 6.5 (Medium) score appropriately reflects a network-based attack requiring user interaction, with confidentiality impact but no integrity or availability effects. The uninitialized memory condition is deterministic once triggered, making the attack outcome reliable for attackers. For organizations handling sensitive client data or employee credentials, the actual business risk may exceed the numerical score due to the confidentiality exposure and ease of delivery via social engineering.
Frequently asked questions
Does this vulnerability require any special browser settings or plugins to exploit?
No. The vulnerability exists in the core ANGLE graphics component and can be triggered by a standard HTML page. No special configuration, plugins, or user actions beyond visiting the malicious webpage are required.
Can this be exploited if users only visit trusted, internal websites?
The vulnerability requires visiting an attacker-controlled or compromised webpage. If your organization maintains strict browsing policies limiting access only to vetted internal sites, risk is reduced. However, most organizations cannot enforce complete web restrictions, making this vulnerability relevant to defense strategies.
How quickly should we expect Chrome to be updated across our fleet?
Chrome's auto-update mechanism typically deploys new versions within 24–48 hours for most users. Managed deployments via Chrome Enterprise may follow IT policies; verify your update cadence in Chrome management tools. Manual verification may be necessary in air-gapped or heavily controlled environments.
Is there a difference in risk between Windows, macOS, and Linux deployments?
The vulnerability itself is platform-agnostic in Chrome; ANGLE behavior is consistent across Windows, macOS, and Linux. Patching timelines and deployment mechanisms may differ by platform and your organization's update policies, but all should be treated with equal priority.
This analysis is based on publicly available CVE information and vendor disclosures as of June 2026. Exploit availability, active threat actor interest, and real-world impact may change. Organizations should verify patch availability and applicability to their specific Chrome deployments against official Google Chrome security advisories and their vendor documentation. This explainer does not constitute a substitute for security assessment by qualified personnel familiar with your organization's specific systems and risk profile. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11039MEDIUMChrome Skia Uninitialized Variable Data Leak Vulnerability
- CVE-2026-11057MEDIUMChrome Skia Uninitialized Memory Leak – 6.5 CVSS
- CVE-2026-11067MEDIUMChrome Memory Disclosure Vulnerability in Dawn – Patch to 149.0.7827.53
- CVE-2026-11087MEDIUMChrome ANGLE Memory Leak Allows Cross-Origin Data Theft
- CVE-2026-11089MEDIUMGoogle Chrome Memory Disclosure in Media Handling
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11104MEDIUMChrome ANGLE Uninitialized Memory Disclosure (CVSS 6.5)
- CVE-2026-11109MEDIUMANGLE Uninitialized Use Data Leak in Chrome – Patch Guidance