MEDIUM 6.5

CVE-2026-11268: Chrome ANGLE Memory Leak Data Disclosure Vulnerability

A vulnerability in Google Chrome's ANGLE graphics library on Windows allows an attacker to steal sensitive data from websites you visit. The flaw stems from uninitialized memory being used during graphics processing, which can leak information across security boundaries. An attacker would need to trick you into visiting a malicious webpage to exploit this—the vulnerability cannot be triggered remotely without user interaction. Chrome version 149.0.7827.53 and later patch this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
2 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11268 is an uninitialized memory use vulnerability (CWE-457) in ANGLE, the graphics abstraction library bundled with Google Chrome on Windows. When ANGLE processes graphics operations, certain memory locations may be read before being properly initialized, potentially containing sensitive data from other browser contexts. The vulnerability allows cross-origin data disclosure—meaning a malicious webpage can access information that should be isolated to a different origin. The attack requires user interaction (visiting a crafted HTML page) and does not affect confidentiality outside the renderer process sandbox.

Business impact

Data leakage affecting end-users' confidentiality is a material security concern. If exploited, attackers could exfiltrate credentials, session tokens, or other sensitive information from visited websites. For enterprises, this creates risk if employees browse untrusted sites or click malicious links. The requirement for user interaction and the browser sandbox limit the blast radius, but the medium CVSS score reflects the realistic confidentiality impact. Organizations should prioritize patching to prevent targeted attacks against high-value users.

Affected systems

Google Chrome on Windows versions prior to 149.0.7827.53 are vulnerable. The issue is specific to the Windows platform due to ANGLE's platform-dependent graphics stack. Chrome on macOS, Linux, and Android are not affected. The vulnerability does not affect Microsoft Windows itself—only Chrome running on Windows is impacted.

Exploitability

Exploitation requires low technical complexity: an attacker crafts a malicious HTML page designed to trigger uninitialized memory reads in ANGLE, then social engineers or redirects a target to that page. No privileged access, special network conditions, or vulnerabilities in other software are required. However, the attacker cannot force a visit—the victim must access the malicious page. Chromium's renderer sandbox provides some containment; leaked data is limited to what the renderer process can access. This has not been added to CISA's Known Exploited Vulnerabilities catalog, indicating no wild exploitation has been confirmed yet.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism typically deploys patches within days; users can manually check via Settings > About Chrome to force an immediate update. Administrators managing Chrome in enterprise environments should use group policy or mobile device management to enforce the update. No workarounds exist, so patching is the only mitigation.

Patch guidance

Verify that all Chrome instances have auto-update enabled (the default). For Windows deployments, check chrome://settings/help to confirm the browser has updated to version 149.0.7827.53 or later. Enterprise users should review Chrome Enterprise policies (e.g., Update Policy) to ensure patch deployment is mandated. Test patch deployment in a small cohort before enterprise-wide rollout if your organization runs custom Chrome extensions or relies on specific Chrome versions.

Detection guidance

Monitor Chrome version compliance across your user base—tools like JAMF, Intune, or custom inventory scripts can identify outdated installations. Network-based detection of the vulnerability itself is not practical, as exploitation occurs within the browser's graphics pipeline. Focus on preventive measures: ensure auto-update is enabled and enforce update policies. If investigating a potential breach, check for exfiltration of sensitive data (cookies, session tokens) around the time a user visited untrusted sites after this vulnerability window.

Why prioritize this

Although Chromium rated this Low severity, the CVSS 3.1 score of 6.5 (Medium) reflects the realistic cross-origin data leakage risk. This vulnerability should be prioritized for prompt patching because: (1) Chrome is nearly ubiquitous, (2) the attack surface is broad (any visited webpage), (3) confidentiality impact is material for high-value targets, and (4) the fix is simple and non-disruptive. However, this is not a critical emergency—the lack of active exploitation and the requirement for user interaction mean urgent within-hours patching is not necessary.

Risk score, explained

The CVSS 6.5 (Medium) reflects a vulnerability with high confidentiality impact (user data leak) but low attack complexity and network adjacency. The requirement for user interaction (clicking a link or visiting a page) reduces the score from High. The sandbox isolation of Chrome's renderer process caps the scope of leakage. The score appropriately balances the genuine risk of data theft against the practical barriers to exploitation.

Frequently asked questions

Will my data be stolen if I'm using the latest Chrome?

No. If you are running Chrome version 149.0.7827.53 or later, you are protected. Chrome auto-updates by default, so most users are patched within days of the release. Check Settings > About Chrome to confirm your version.

Can this vulnerability be exploited without me visiting a malicious site?

No. An attacker must trick you into visiting a specially crafted webpage—they cannot exploit the vulnerability remotely or through drive-by downloads. Be cautious with links from untrusted sources, but ordinary browsing poses minimal risk as long as your Chrome is up to date.

Does this affect Chrome on Mac or Linux?

No. The vulnerability is specific to ANGLE's implementation on Windows. Chrome on macOS, Linux, and Android uses different graphics libraries and is not vulnerable.

What data could be leaked?

The leaked data is limited to what Chrome's renderer process can access—typically browser cache, local storage, and data from other open tabs. However, the vulnerability does not directly expose passwords or keychain data. The risk is highest for sensitive session tokens, API keys stored in browser storage, or information visible in other browser tabs.

This analysis is provided for informational purposes to help security teams prioritize patch management. It does not constitute legal or compliance advice. CVSS scores and severity ratings are subject to change by the vendor. Always consult official vendor advisories and verify patch versions against your own systems before deployment. This vulnerability has not been confirmed in active exploitation; however, responsible disclosure is advised. Organizations must evaluate risk based on their own threat model and user population. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).