MEDIUM 6.5

CVE-2026-11183: Chrome GWP-ASan Memory Disclosure – Patch Guidance

CVE-2026-11183 is a memory safety vulnerability in Google Chrome's GWP-ASan security feature that allows an attacker with local access to read sensitive data from the browser's memory by tricking a user into opening a malicious file. While the flaw requires user interaction and doesn't allow remote code execution, it can expose confidential information such as cached credentials, session tokens, or other sensitive data held in process memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Out of bounds read in GWP-ASan in Google Chrome prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is an out-of-bounds read in GWP-ASan (GWP Asan, a memory debugging tool integrated into Chromium). An attacker can craft a malicious file that, when processed by Chrome, triggers an out-of-bounds memory access. Rather than crashing safely, this read vulnerability allows the attacker to observe the contents of memory adjacent to the intended buffer, violating memory isolation. The flaw maps to CWE-125 (Out-of-bounds Read), indicating insufficient bounds checking in memory access operations.

Business impact

Exploitation could lead to disclosure of sensitive application data residing in Chrome's memory space—including authentication credentials, personal information, browsing history fragments, or cached API tokens. While not directly enabling code execution or system compromise, the information leakage can facilitate downstream attacks such as credential theft or session hijacking. Organizations with high-security requirements or users handling classified or regulated data face elevated risk.

Affected systems

The vulnerability affects Google Chrome versions prior to 149.0.7827.53. The underlying memory flaw also potentially affects systems running Chrome on macOS, Linux (via the Linux kernel's interaction with the browser), and Windows, though the primary attack surface is through Chrome itself. Organizations must patch Chrome across all deployment platforms.

Exploitability

Exploitability is moderate. The attack requires user interaction—the victim must open or interact with a malicious file—and operates via network-based distribution of that file. No authentication is required from the attacker's perspective. However, crafting a reliable exploit depends on accurate knowledge of memory layouts and GWP-ASan behavior, which raises the bar slightly for untargeted attacks. Once a user interacts with the malicious file, the out-of-bounds read is triggered autonomously.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately across all endpoints. Verify that automatic updates are enabled to catch future security releases. For environments with restricted update policies, prioritize this patch in your change management process given the memory disclosure risk. No workarounds exist; patching is the only mitigation.

Patch guidance

Deploy Chrome version 149.0.7827.53 or newer as soon as possible. Most organizations rely on Chrome's auto-update mechanism; verify it is functioning in your environment by checking Settings > About Google Chrome to confirm your installed version. For managed deployments (via Group Policy, MDM, or similar), update your configuration to push the patched version. Test in a limited environment first if your change control process requires it, but prioritize speed given the information disclosure risk.

Detection guidance

Monitor for failed Chrome updates or out-of-date Chrome versions in your endpoint inventory. Search logs for any user reports of unusual file interactions or Chrome crashes related to file handling. Security Information and Event Management (SIEM) systems should flag Chrome processes accessing unexpected memory regions, though GWP-ASan's own error reporting may surface detection signals in Chrome's crash reports. Review Chrome sync logs and authentication event logs for unexpected account activity that might indicate credential leakage from this or related vulnerabilities.

Why prioritize this

Although the CVSS score of 6.5 is moderate and the flaw does not enable code execution, the combination of user-triggered exploitation, memory disclosure capability, and Chrome's ubiquity across enterprise and consumer devices warrants swift patching. Information leakage from browser memory is a direct path to credential compromise, making this a high-priority security issue despite its moderate severity rating.

Risk score, explained

The CVSS v3.1 score of 6.5 reflects a Medium severity rating, driven by high confidentiality impact (C:H) balanced against the requirement for user interaction (UI:R) and local/adjacent network attack vector constraints. The score does not account for business context—credential disclosure from browser memory often carries greater real-world impact than the base score alone suggests. Organizations handling sensitive data should treat this as a P1 patch candidate.

Frequently asked questions

Can this vulnerability be exploited remotely without user action?

No. The attacker must deliver a malicious file and the user must open or interact with it. The flaw cannot be triggered through passive browsing or network exposure alone. However, widespread social engineering or file distribution attacks could lower the practical barrier to exploitation.

Does this vulnerability allow arbitrary code execution?

No. This is a read-only memory disclosure flaw. It does not permit the attacker to execute code or modify memory. However, the disclosed information—such as credentials or session tokens—could be weaponized in follow-up attacks.

Are all versions of Chrome affected?

All Chrome versions prior to 149.0.7827.53 are vulnerable. Users should update to 149.0.7827.53 or later. Check your current version in Settings > About Google Chrome; the browser will automatically update if auto-update is enabled.

What should I do if I cannot update Chrome immediately?

Restrict user access to untrusted file sources, disable file auto-open features, and educate users not to open suspicious files. However, these are temporary mitigations only. Patch as soon as your change control process allows; the vulnerability is too significant to leave unpatched long-term.

This analysis is based on vendor-provided information and public disclosures as of the publication date. Security researchers and affected organizations should verify all technical claims, patch availability, and compatibility in their own environments before deploying changes. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Exploit code is not provided; organizations should consult official vendor advisories for detailed remediation steps. This document is for informational purposes and should not substitute for formal security risk assessments or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).