CVE-2026-11140: Chrome Chromecast Out-of-Bounds Read Memory Disclosure
A memory reading vulnerability in Google Chrome's Chromecast feature allows an attacker who has already compromised the browser's renderer process to steal sensitive data from the browser's memory by serving a specially crafted web page. The vulnerability requires the attacker to have control of the renderer—the component that displays websites—but once achieved, they can extract information without needing special privileges or modifying the page's normal function.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds read in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11140 is an out-of-bounds read vulnerability in the Chromecast implementation within Google Chrome prior to version 149.0.7827.53. The flaw permits a threat actor controlling a compromised renderer process to read adjacent memory regions via a maliciously crafted HTML page, potentially exposing sensitive process memory content. The vulnerability is classified as a bounds-checking failure (CWE-20) and carries a CVSS 3.1 score of 6.5 (Medium severity) with a network attack vector, low attack complexity, and confidentiality impact but no integrity or availability impact.
Business impact
This vulnerability primarily affects confidentiality. If an attacker gains renderer-process access—typically through a separate browser exploit or social engineering—they can pivot to extract sensitive data such as authentication tokens, cached credentials, personal information, or other in-memory secrets. For organizations, this means a single compromise of the browser process can lead to further data theft. End-users running unpatched Chrome versions face exposure if they visit malicious sites after their browser has been compromised through other means.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. Chrome runs on Windows, macOS, and Linux; the vulnerability affects all these platforms. Users of Chromium-based browsers that incorporate the affected code may also be vulnerable; organizations should verify their derivative browser versions against the upstream Chromium fix.
Exploitability
Exploitation requires two conditions: the attacker must have already compromised the renderer process (a non-trivial prerequisite), and the user must then visit a page controlled by the attacker. Once the renderer is compromised, triggering the vulnerability is straightforward via a crafted HTML page. The vulnerability is not currently tracked in the Known Exploited Vulnerabilities (KEV) catalog, meaning no widespread in-the-wild exploitation has been documented at the time of publication.
Remediation
Apply Chrome updates to version 149.0.7827.53 or later. Most users with automatic updates enabled will receive this patch without intervention. Organizations using managed Chrome deployments should verify patch deployment across their fleet. No workarounds exist for this class of vulnerability; patching is the only mitigation.
Patch guidance
Update Google Chrome to version 149.0.7827.53 or later via Settings > About Chrome, which will automatically download and apply the patch on restart. For enterprise environments using Google Chrome Enterprise, deploy updates through your device management console or verify that auto-update policies are enabled. Verify patch deployment by checking chrome://settings/help to confirm your installed version matches or exceeds 149.0.7827.53.
Detection guidance
Because exploitation requires prior renderer compromise, detection should focus on anomalous renderer process behavior and unusual memory access patterns. Monitor for browser exploitation attempts, unexpected child processes spawned by the Chrome renderer, or suspicious network activity following browser events. Endpoint detection and response (EDR) tools should flag unexpected memory reads from Chrome processes if the vendor provides such fidelity. Log and alert on installation of browser extensions from untrusted sources, as these are common initial compromise vectors.
Why prioritize this
Although the CVSS score is moderate (6.5), this vulnerability should be prioritized because it enables multi-stage attacks. An attacker exploiting this flaw gains access to sensitive in-memory data after achieving renderer compromise, raising the overall risk profile. The prevalence of Chrome usage and the open nature of web browsing mean a large installed base is at risk. However, the requirement for prior renderer compromise prevents this from being a zero-trust threat; it is a secondary vulnerability in an attack chain.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects a network attack vector and low attack complexity, but zero integrity and availability impact—only confidentiality is affected. The score is appropriate for a memory disclosure flaw that requires user interaction (visiting a malicious page) after renderer compromise. From a real-world risk perspective, organizations with strong browser security controls and patch management can reduce exposure significantly, while those with poor patching discipline face elevated secondary-compromise risk.
Frequently asked questions
Do I need to be worried if my Chrome is up to date?
No. If you are running Chrome 149.0.7827.53 or later, this specific vulnerability is patched. Automatic updates are enabled by default in Chrome; check chrome://settings/help to verify your current version.
What does 'renderer process compromise' mean and how does it happen?
The renderer process is the component of Chrome that interprets and displays web pages. It is often the target of browser exploits because websites can interact with it directly. If an attacker finds and exploits a separate vulnerability in Chrome (or in a plugin), they can gain code execution in the renderer. This vulnerability then allows them to read memory that might contain secrets. In practice, renderer compromise usually requires the user to visit a malicious or compromised website.
Is this being actively exploited?
As of the publication date, this vulnerability is not listed in the KEV (Known Exploited Vulnerabilities) catalog, indicating no widespread active exploitation has been publicly reported. However, responsible organizations should not wait for public proof-of-concept before patching; timely updates remain the best defense.
Does this vulnerability affect other Chromium-based browsers like Edge or Brave?
Possibly. Browsers built on Chromium may inherit this vulnerability if they bundle the affected code path. Check with your browser vendor for patch status and apply updates as they become available. Do not assume that a Chrome patch automatically protects other Chromium-derived browsers.
This analysis is based on publicly available information and the structured CVE data as of June 2026. Patch versions, vendor advisories, and exploit status may change; always verify current patch availability and compatibility with your environment against official vendor sources. This vulnerability requires prior renderer compromise; patching alone may not prevent initial browser exploitation. For critical systems or questions specific to your infrastructure, consult with a qualified security professional or your vendor's support team. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls