CVE-2026-9908: Chrome ANGLE Out-of-Bounds Memory Read – Data Leakage Vulnerability
CVE-2026-9908 is a memory disclosure flaw in Google Chrome's ANGLE graphics library that lets attackers read uninitialized or sensitive data from your browser process. An attacker crafts a malicious HTML page; when you visit it, the bug leaks information that shouldn't be accessible—such as encryption keys, session tokens, or other sensitive values that happened to be in memory. The vulnerability requires user interaction (clicking through to a malicious site) but no authentication, and it affects Chrome versions before 148.0.7778.216.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is an out-of-bounds read in ANGLE (Almost Native Graphics Layer Engine), Chrome's WebGL/graphics abstraction layer. CWE-125 classifies this as a read access beyond the bounds of an allocated buffer. During graphics processing or shader compilation, the code fails to validate buffer indices or bounds before reading, allowing an attacker-controlled shader or WebGL command sequence to access adjacent memory. The disclosed data is then exfiltrated via timing side-channels, error messages, or pixel readback operations. This is a confidentiality issue with no impact on integrity or availability.
Business impact
Data leakage from browser process memory can expose customer credentials, authentication tokens, personal information, or intellectual property in use within the browser context. For organizations where employees browse sensitive web applications or handle confidential documents via web interfaces, this increases the risk of credential compromise and lateral movement. The attack surface is broad since it requires only a malicious webpage visit, making it suitable for targeted attacks against specific user populations.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are vulnerable. The issue affects the ANGLE graphics component, which is used on Windows, macOS, and Linux. Any system running an unpatched Chrome build is at risk if the user visits a malicious or compromised website.
Exploitability
Exploitability is moderate to high. The attack requires user interaction (visiting a crafted HTML page), but no special privileges or authentication. The attacker needs only to host the malicious page or compromise an existing site. The technical barrier to crafting a WebGL or shader-based exploit is moderate; it requires knowledge of graphics APIs but not zero-day development. CVSS 6.5 reflects the high confidentiality impact and low attack complexity, tempered by the requirement for user interaction.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Automatic updates should deploy the patch; verify the installed version in chrome://version/. For managed environments, use Chrome policies to enforce updates and block older versions. In the interim, security controls cannot fully mitigate this remotely exploitable flaw, but blocking WebGL or restricting access to untrusted sites may reduce exposure for high-risk users.
Patch guidance
Deploy Chrome 148.0.7778.216 or later via auto-update or manual installation. Verify rollout completion by checking version strings in deployed endpoints. No workarounds are available; patching is the only reliable remediation. Monitor Chrome update adoption in your environment to ensure timely coverage.
Detection guidance
Detection at the network level is difficult since the attack occurs within JavaScript/WebGL execution and memory access is local to the process. Behavior-based detection could flag unusual WebGL shader compilation patterns or repeated pixel readback operations, but this requires endpoint telemetry and EDR integration. Monitor for suspicious JavaScript targeting WebGL APIs in proxy logs. At the endpoint, EDR tools may detect process memory scanning if the exfiltration method involves abnormal IPC or network transmission of gathered data.
Why prioritize this
Although rated CVSS 6.5 (MEDIUM), this vulnerability merits prioritization because it enables silent, user-interaction-dependent data exfiltration affecting a widely used browser. It is not listed in CISA KEV, but the broad attack surface, ease of delivery, and confidentiality impact make it a suitable candidate for targeted campaigns. Prioritize patching for users accessing sensitive web applications or handling high-value data in the browser.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-accessible, low-complexity attack requiring user interaction and no privileges, with high confidentiality impact but no integrity or availability impact. The lack of KEV listing suggests no known active exploitation as of the publication date, but the attack vector and practical exploitability remain significant in real-world scenarios.
Frequently asked questions
Can this vulnerability be exploited without the user clicking a link?
No. The attack requires the user to visit a malicious or compromised website. It cannot be exploited through email attachments, drive-by downloads triggered by passive network observation, or local access alone. However, the barrier to crafting a convincing phishing message or compromising a legitimate site is lower than for other types of attacks.
What data can be stolen?
Any data present in the Chrome process memory at the time of the attack could potentially be leaked, including browsing history, cached credentials, JavaScript variable values, or unencrypted parts of web application state. The exact data depends on what the attacker can reliably trigger the out-of-bounds read to access.
Does disabling WebGL protect me?
Disabling WebGL would likely prevent this specific attack since it exploits ANGLE's graphics processing. However, this is a temporary workaround and breaks functionality on many modern websites. Patching Chrome is the recommended solution.
Is this vulnerability being actively exploited?
As of the publication date (May 28, 2026), there is no evidence of active exploitation in CISA's KEV catalog. However, the relative ease of crafting a WebGL-based exploit means vigilance is warranted, especially in targeted threat scenarios.
This analysis is based on the vulnerability disclosure as of June 17, 2026. Patch version numbers and specific technical details are sourced from official Google Chromium security advisories. Exploit code or detailed proof-of-concept instructions are not provided herein. Organizations should verify patch applicability and compatibility with their environment before deployment. Risk assessments should be tailored to your specific threat model and user population. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-9907MEDIUMChrome Out-of-Bounds Read Vulnerability Enables Cross-Origin Data Leakage