MEDIUM 5.3

CVE-2026-11678: Integer Overflow in Chrome libyuv Enables Memory Disclosure

An integer overflow vulnerability exists in libyuv, an image processing library bundled with Google Chrome. The flaw allows an attacker who has already compromised Chrome's renderer process to read sensitive information from memory by serving a specially crafted HTML page. Because the attack requires prior renderer compromise, real-world exploitation involves a multi-stage attack chain rather than direct network exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-472
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11678 is an integer overflow in libyuv (CWE-472) affecting Google Chrome versions prior to 149.0.7827.103. The vulnerability resides in image processing code and can be triggered by malicious HTML content. Successful exploitation enables arbitrary memory disclosure from the compromised renderer process context, potentially exposing credentials, tokens, or other sensitive data resident in process memory. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM) with a vector of AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, reflecting network accessibility, high attack complexity, user interaction requirement, and confidentiality impact without integrity or availability loss.

Business impact

This vulnerability primarily affects organizations relying on Chrome for secure web browsing or embedded web rendering. The attack chain—requiring prior renderer compromise—suggests this is most dangerous in scenarios where users are already targeted by other exploits or malware. Data exfiltration of session tokens, authentication credentials, or personal information could lead to account compromise or identity theft. Organizations using Chrome in kiosk, embedded, or high-assurance environments should treat renderer compromise risks seriously. The vulnerability is not yet tracked as actively exploited in the wild (KEV status: not listed).

Affected systems

Google Chrome versions prior to 149.0.7827.103 are directly affected. The vendor product list also includes Apple macOS, Linux kernel, and Microsoft Windows, likely reflecting that Chrome runs on these platforms. Organizations should verify patching across all Chrome deployments on these operating systems. Chrome-based browsers and Chromium derivatives built before the patched libyuv code may also be vulnerable; check your vendor's patch status independently.

Exploitability

Real-world exploitation requires an attacker to first compromise Chrome's renderer process through a separate vulnerability or attack vector (e.g., a memory corruption bug or prior malware infection). Once inside the renderer, the attacker serves a malicious HTML page with crafted image data that triggers the integer overflow and memory leak. The attack is not remotely exploitable without prior compromise, and it requires user interaction (viewing the HTML). These factors limit immediate widespread risk, though the vulnerability remains serious for users already targeted by other attacks.

Remediation

Update Google Chrome to version 149.0.7827.103 or later. This patch contains a fix for the integer overflow in libyuv. Verify the patch version through Chrome's built-in update mechanism (Settings > About Chrome on desktop platforms) or your organization's Chrome management console. Automatic updates are enabled by default in most Chrome installations. No workaround is available other than updating.

Patch guidance

Deploy Chrome version 149.0.7827.103 or later across all endpoints. For enterprise environments, use Chrome Enterprise or Chrome Browser Cloud Management to enforce automatic updates and verify deployment. Prioritize patching in scenarios where users are likely targets of social engineering or malware campaigns. Test the patch in a limited environment if you maintain custom Chrome builds or extensions. Verify successful deployment by checking chrome://version or querying the browser's version remotely if you have mobile device management (MDM) or endpoint management tools in place.

Detection guidance

Monitor for unusual memory access patterns or process behavior in Chrome renderer processes, though detection via endpoint telemetry is difficult without deep introspection. Network-level detection is not practical since the attack requires prior in-process compromise. Focus on preventing renderer compromise in the first place by: (1) keeping Chrome and all extensions updated, (2) disabling unnecessary extensions, (3) monitoring for signs of malware infection, and (4) using security tools that detect suspicious process behavior. Consider endpoint detection and response (EDR) solutions that can flag anomalous memory reads or process memory dumping attempts.

Why prioritize this

This vulnerability merits prompt but not critical-level attention. The CVSS score of 5.3 reflects the medium baseline severity, but the practical risk depends on your threat model. Prioritize patching if your organization is in a high-risk sector (finance, government, media) or if users are frequently targeted by phishing or malware campaigns. The requirement for prior renderer compromise means this is a secondary concern compared to zero-day renderer exploits themselves. However, if an attacker has already broken into your environment, this vulnerability provides an additional avenue for data exfiltration, so patch it as part of normal security maintenance alongside other Chrome updates.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects a network-accessible vulnerability (AV:N) with high attack complexity (AC:H), no privilege requirement (PR:N), but a requirement for user interaction (UI:R). The impact is confidentiality (C:H) only—sensitive data can be exposed—with no integrity or availability impact. The medium rating appropriately captures that while the vulnerability can leak sensitive information, it requires multiple preconditions: an attacker must first gain renderer process access, and the target must view a malicious page. This differs from a direct remote code execution or unauthenticated network attack.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. This is a memory disclosure vulnerability, not RCE. An attacker can read sensitive data from Chrome's memory, but cannot execute arbitrary code directly via this flaw. However, disclosed information (such as pointer values) could potentially aid in constructing follow-up attacks.

Can this vulnerability be exploited without already compromising Chrome?

No. The vulnerability requires an attacker to have already compromised Chrome's renderer process through a separate attack. This is a secondary vulnerability in an attack chain, not a primary entry point. An attacker would need to first exploit another Chrome vulnerability or use malware to establish renderer-level access.

Are older versions of Chrome still vulnerable?

Yes. All versions of Chrome prior to 149.0.7827.103 contain the vulnerable libyuv code. If you are running an earlier version, you are at risk if your renderer process is compromised. Update immediately to eliminate this specific attack surface.

Does this affect Chromium-based browsers other than Chrome?

Possibly. Any Chromium-derived browser that bundles the vulnerable libyuv code may be affected. Check your browser vendor's security advisories and patch status independently. Edge, Opera, Brave, and other Chromium variants may have their own release cycles and patch timelines.

This analysis is based on vulnerability data current as of the publication and modification dates provided. Security landscapes evolve rapidly; always consult official vendor advisories for the most current patch versions, affected product lists, and remediation guidance. SEC.co does not claim to enumerate all potential attack scenarios or downstream risks. Organizations should conduct threat modeling specific to their environment and asset criticality. No part of this analysis constitutes legal, compliance, or formal risk assessment advice. Verify all patch versions and deployment procedures against your vendor's official documentation before deployment to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).