MEDIUM 4.3

CVE-2026-9911: Integer Overflow in Chrome ANGLE Graphics Library – Information Disclosure Vulnerability

CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-472
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

An integer overflow vulnerability exists in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer integrated into Google Chrome. The flaw permits out-of-bounds memory reads when processing specially crafted HTML content. The attack surface is network-accessible; an attacker need only convince or trick a user into visiting a hostile webpage. No privilege escalation or local access is required. The vulnerability is classified as High severity by the Chromium security team but scored CVSS 3.1 as MEDIUM (4.3) because exploitation yields information disclosure without enabling code execution or availability impact.

Business impact

This vulnerability primarily threatens data confidentiality. Affected organizations face risk of credential leakage, session token exposure, or exfiltration of sensitive cached data when employees browse untrusted websites. In targeted scenarios—such as phishing campaigns aimed at high-value targets—attackers could selectively harvest authentication material or personal identifiable information. The attack is neither wormable nor self-propagating, limiting blast radius, but the low barrier to user infection and potential for targeted campaigns warrant prompt patching in security-conscious environments.

Affected systems

Google Chrome versions prior to 148.0.7778.216 are vulnerable. ANGLE is bundled with Chrome on all platforms (Windows, macOS, Linux, Android, iOS). Enterprise deployments running unpatched Chrome builds face exposure. Other Chromium-based browsers that share the same ANGLE codebase may also be affected, though vendors' patch timelines vary. Verify your specific browser versions and update status against the vendor advisory.

Exploitability

The vulnerability requires user interaction—a visit to an attacker-controlled or compromised webpage—making this a drive-by infection vector rather than remote code execution without user action. No authentication, special network position, or advanced capabilities are needed beyond crafting malicious HTML. However, the attack does not break the browser sandbox or grant attacker code execution, limiting damage to information disclosure. The low CVSS score reflects this constrained impact; Chromium's High severity designation acknowledges the privacy breach risk despite bounded technical severity.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. Automatic updates are enabled by default in Chrome; users can manually verify updates via Menu > About Google Chrome. For enterprise deployments using managed Chrome policies, deploy the patched version through your MDM or group policy framework. Interim mitigations—such as restricting browsing to known-safe sites or disabling JavaScript—reduce attack surface but are not substitutes for patching. No workarounds fully eliminate the risk.

Patch guidance

Apply Chrome version 148.0.7778.216 or any subsequent release. Most users will receive the patch automatically within days of the update's availability. Enterprise administrators should prioritize this patch in their update cycle, though the low CVSS score (4.3) may permit scheduling within standard maintenance windows if immediate deployment conflicts with change control. Verify successful patching by navigating to chrome://version and confirming the version number. Consider forcing an update check via chrome://settings/about if manual verification shows an older build.

Detection guidance

Monitor endpoint telemetry for Chrome processes interacting with untrusted or anomalous URLs, particularly HTML files from unexpected sources. Host-based detection is inherently limited since the attack leaves minimal forensic traces; focus on user awareness to prevent initial infection. Network-level detection of malicious HTML may be possible if the attack payload exhibits recognizable patterns, but this is difficult given the exploit's simplicity. Post-incident, inspect Chrome's cache, cookies, and autofill data for unexpected entries or access patterns. Consider enabling Chrome Enterprise alerting if your organization runs managed Chrome for early vulnerability notifications.

Why prioritize this

Although the CVSS score is MEDIUM (4.3), this vulnerability merits rapid patching due to its low exploitation friction and direct privacy impact. It is not listed on the KEV Catalog, indicating no current evidence of active exploitation in the wild, but the attack's simplicity suggests real-world proof-of-concepts may appear quickly. Organizations handling sensitive customer data, credentials, or personal information should prioritize this patch within their first update cycle. Smaller organizations or those with less sensitive workloads may defer to the next standard patch window.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects limited scope: the vulnerability requires user interaction (CVSS UI:R), can only be exploited over the network (AV:N) with low attack complexity (AC:L), no privilege escalation (PR:N), and yields only confidentiality impact (C:L) without affecting integrity or availability (I:N/A:N). The CWE-472 classification (Integer Overflow or Wraparound) identifies the root cause. Chromium's High severity designation acknowledges the privacy risk and attack ease despite the bounded technical impact; the two ratings are not contradictory—one reflects potential privacy harm, the other a constrained threat model.

Frequently asked questions

Can this vulnerability be exploited if I don't click anything?

No. The attack requires active user interaction: visiting a malicious webpage. Simply having the page in a background tab or being redirected to it counts as interaction. You cannot be silently compromised by this flaw through email, file download, or network traffic alone—the user must view the HTML content in Chrome.

Does this vulnerability allow attackers to run code on my computer?

No. This is an information disclosure vulnerability, not a remote code execution flaw. Attackers can read limited amounts of data from Chrome's memory—such as cached credentials or session tokens—but cannot execute arbitrary code, modify files, or break out of the browser sandbox. Code execution would require a separate, more severe vulnerability.

I use a different browser like Firefox or Safari. Am I affected?

Not by this specific CVE, which is limited to Google Chrome and Chromium-based browsers that bundle the vulnerable ANGLE library. Firefox uses a different graphics stack, and Safari does not use ANGLE. However, check your browser vendor's security advisories to confirm you are not affected by similar flaws in other rendering engines.

Will Chrome auto-update patch this automatically?

Yes, in most cases. Chrome checks for updates daily and downloads patches in the background. To force an immediate check, go to Menu > About Google Chrome; it will update if a newer version is available. Some enterprise policies may delay auto-updates; contact your IT team if you see a version older than 148.0.7778.216 after 24 hours.

This analysis is provided for informational purposes and does not constitute professional security advice. Organizations must verify patch applicability, test updates in their environment, and consult vendor advisories before deployment. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Security professionals should conduct independent risk assessment based on their threat model, asset inventory, and organizational priorities. Patch version numbers and product applicability are current as of the publication date; consult google.com/chrome/update or your vendor's official security advisory for the latest guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).