CVE-2026-11191: Out-of-Bounds Memory Access in Chrome ANGLE Library
A memory safety flaw in Chrome's ANGLE graphics library allows attackers to access memory beyond intended boundaries when a user visits a malicious webpage. An attacker can craft HTML that exploits this out-of-bounds read or write to leak sensitive data, crash the browser, or execute code with the privileges of the Chrome process. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds memory access in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11191 is an out-of-bounds memory access vulnerability (CWE-125) in the ANGLE library, Google's WebGL implementation layer in Chromium. The flaw permits a remote attacker to read or write memory outside allocated buffers through a specially constructed HTML page. ANGLE abstracts graphics operations across platforms; improper bounds checking in this component exposes the renderer process to memory corruption. The attack requires user interaction (visiting the crafted page) but no authentication or elevated privileges. The Chromium security team assigned this a Medium severity rating, though the CVSS 3.1 score of 8.8 reflects the combination of network-based delivery, user interaction requirement, and high impact across confidentiality, integrity, and availability.
Business impact
Memory corruption vulnerabilities in browser engines represent a critical risk to any organization whose users browse the web. Successful exploitation can lead to credential theft, malware installation, or lateral movement within corporate networks if an attacker compromises a user's browser session. The simplicity of delivery—a malicious HTML page—means attackers can leverage existing web properties, phishing campaigns, or ad networks to reach targets. Industries handling sensitive data (financial services, government, healthcare) face elevated risk if users are exposed to adversary-controlled content.
Affected systems
Google Chrome (all versions prior to 149.0.7827.53) on Windows, macOS, and Linux are directly affected. The vulnerability is in Chrome's rendering engine; users of Chrome-based browsers (Edge, Opera, Brave, Vivaldi) built from Chromium versions prior to the patched release may also be vulnerable. This is not a kernel-level flaw affecting the operating systems themselves, despite the vendor list nomenclature. Users must update Chrome to 149.0.7827.53 or later.
Exploitability
Exploitation requires a remote attacker to host or inject malicious HTML into a website the target visits. No special network position, authentication, or local system access is needed. The user interaction requirement (clicking a link, visiting a site) is easily satisfied through social engineering, watering-hole attacks, or compromised advertisements. Public exploit code has not been confirmed as available; however, memory corruption vulnerabilities of this type are typically reproducible by skilled attackers once the underlying bug is understood. The attack surface is broad: any webpage visit is a potential exposure vector.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism typically deploys patches within 24–48 hours of release; verify successful update by navigating to chrome://settings/help. For organizations with managed Chrome deployments, use policy controls (CloudManaged or ADMX templates) to enforce the minimum version requirement. Chromium-based browsers should verify their release notes for corresponding patches against the same ANGLE vulnerability. No workarounds mitigate the vulnerability short of disabling JavaScript or blocking untrusted sites, both impractical for most users.
Patch guidance
Google Chrome 149.0.7827.53 contains the fix for CVE-2026-11191. Verify the patched version is deployed by checking Settings > About Chrome; the browser will auto-check for updates. For enterprise deployments, use the Chrome release notes and security advisory (linked in your vendor advisory documentation) to confirm the patch scope. Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) should be checked against their respective release cycles; most rebuild from Chromium frequently and will receive the fix within days of Chrome's release. No manual configuration changes are required post-patch.
Detection guidance
Detection of exploitation attempts is difficult without instrumentation of the rendering process itself. Traditional network-based detection (IDS/IPS) cannot reliably identify malicious HTML payloads crafted for this specific flaw. Focus mitigation on prevention: (1) enforce Chrome updates via policy; (2) block access to known attacker infrastructure (if identified in threat intelligence feeds); (3) monitor for abnormal process behavior from chrome.exe or chromium processes (high CPU, unusual memory allocation, child process spawning). Endpoint Detection and Response (EDR) solutions may flag memory corruption attempts if configured to monitor rendering engine crashes or sandbox violations. Log Chrome update status in your asset inventory to identify non-compliant systems.
Why prioritize this
This vulnerability warrants immediate patching despite not appearing on CISA's Known Exploited Vulnerabilities (KEV) catalog. The combination of easy network delivery, broad user exposure, and memory corruption impact creates significant risk. CVSS 8.8 (HIGH) reflects the severity; the lack of KEV status indicates no widespread in-the-wild exploitation confirmed at time of publication, but does not mean exploitation is not possible or will not occur. Chromium memory issues are historically attractive targets for advanced threat actors. Prioritize deployment within 2–7 days for general user populations; expedite for high-value roles (executives, researchers, developers) who may be targeted.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) combines: (1) Network-based attack vector requiring no special position; (2) Low attack complexity—a crafted HTML page is straightforward to produce; (3) No privilege requirement and no authentication; (4) User interaction required (visiting the page), reducing autonomous worm potential but not significantly lowering risk in practice; (5) Scope unchanged (attack confined to affected process); (6) High impact across confidentiality (data leakage from memory), integrity (memory modification), and availability (process crash). The gap between Chromium's Medium severity rating and the CVSS HIGH score reflects Chromium's internal weighting of the user interaction requirement; the CVSS vector weight gives fuller credit to the remote, low-complexity nature of the attack.
Frequently asked questions
Is this vulnerability actively being exploited?
No public evidence of active exploitation has been reported as of the publication date. The vulnerability does not appear on CISA's KEV catalog. However, memory corruption bugs in widely used software are attractive to sophisticated attackers, and the ease of delivery via malicious webpages means exploitation is feasible. Assume weaponization is possible if not already underway.
Do I need to update if I am using Edge, Brave, or another Chromium-based browser?
Yes. All Chromium-derived browsers are affected if they have not incorporated the ANGLE fix. Check your browser's About page for version number and consult the vendor's security advisory. Most Chromium rebuilders (Microsoft, Brave, Opera) push updates quickly after Chrome's release, typically within 3–7 days. Do not assume your browser is safe because you are not using Chrome.
Can a firewall or proxy block this attack?
Not reliably. The attack is delivered through normal HTTPS traffic (a webpage). Standard web proxies cannot inspect the contents of encrypted HTML in a way that identifies this specific payload without breaking encryption. Focus on keeping your browser updated rather than relying on network controls.
What if I cannot update Chrome immediately?
Minimize time spent on untrusted websites. Disable extensions if possible (some may increase attack surface). Enable Chrome's Safe Browsing feature. For critical systems, isolate them from general web browsing or use a separate device for high-risk activities until patching is complete. These are temporary mitigations; a timely patch is the only complete fix.
This analysis is based on publicly available vulnerability data current as of June 2026. CVSS scores and severity ratings are assigned by vendors and standards bodies and may vary based on environmental factors specific to your organization. No exploit code is provided or endorsed. Always verify patch applicability and test in non-production environments before deployment. Consult official vendor advisories and your security team for guidance tailored to your systems and risk profile. This page is provided for informational purposes and does not constitute a guarantee of accuracy or completeness. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11256HIGHChrome GPU Integer Overflow Sandbox Escape Vulnerability