MEDIUM 4.3

CVE-2026-9935: Chrome ANGLE Uninitialized Memory Leak – Cross-Origin Data Disclosure

CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

An uninitialized variable in ANGLE (Almost Native Graphics Layer Engine), Chrome's cross-platform graphics abstraction library, permits information disclosure via memory access primitives. The flaw (CWE-457) stems from use of uninitialized memory, which can contain remnants of data from other processes or security contexts. A remote attacker can construct a malicious HTML page that triggers graphics operations in a way that causes uninitialized memory to be read and exfiltrated to the attacker's origin, bypassing same-origin policies. This affects Chrome versions prior to 148.0.7778.216 on Windows, macOS, and Linux systems.

Business impact

Data leakage across security boundaries undermines the browser's isolation model. An attacker could extract authentication tokens, session cookies, or sensitive page content from other open tabs—effectively compromising the confidentiality of user sessions without requiring code execution or privilege escalation. For organizations where employees browse sensitive internal applications alongside untrusted content, this widens the attack surface for credential theft and lateral movement.

Affected systems

Google Chrome versions before 148.0.7778.216 on Microsoft Windows, Apple macOS, and Linux are vulnerable. The issue also affects the underlying Linux kernel graphics stack as a downstream component. Chrome OS and other Chromium-based browsers may also be impacted depending on their patch status. The vulnerability is platform-agnostic at the browser level, making it relevant across all major desktop operating systems.

Exploitability

Exploitation is network-accessible and requires no special privileges. However, it does require user interaction—a victim must navigate to or be redirected to the attacker's crafted HTML page. No authentication or unusual system configuration is needed. The attack surface is broad because any website visit can trigger the vulnerability. The CVSS score of 4.3 reflects the limited impact (confidentiality only, no integrity or availability impact) despite the relative ease of triggering the flaw. It is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation has not been widely reported as of the last update.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. This applies to Windows, macOS, and Linux users. Organizations should enforce automatic Chrome updates or use group policies to push the patch. Users running Chromium-based browsers (Edge, Brave, etc.) on Chromium 148+ should verify their vendor has backported the fix. For Linux system administrators, ensure the graphics drivers and kernel components are up-to-date, particularly if using ANGLE-dependent applications.

Patch guidance

Google released the fix in Chrome 148.0.7778.216. Verify the patch version in your deployment by checking Chrome's About page (chrome://help on desktop, or Settings > About Chrome on mobile). For enterprise deployments, use the Chrome Enterprise bundle or Group Policy to enforce updates. Monitor vendor advisory channels (google.com/chrome/security) for any related patches to downstream projects like Chromium forks. Test patching in a staging environment first if you manage custom Chromium builds.

Detection guidance

Monitor for unusual graphics API calls or memory access patterns in browser process logs. Endpoint detection and response (EDR) tools should flag processes attempting to read uninitialized memory or exfiltrate data via graphics pipelines. Network-level detection is difficult because the exfiltration occurs within normal HTTP/HTTPS traffic to attacker-controlled sites. Prioritize detecting visits to known malicious sites via threat intelligence feeds. Browser security event logs (if available) may show cross-origin data access anomalies. Proof-of-concept code or proof-of-work demonstrations do not change remediation priority—patching remains the primary control.

Why prioritize this

This vulnerability merits high priority because it defeats a core browser security model (same-origin policy) via a memory safety defect. Although the CVSS score is moderate, the attack vector is practical and the impact—cross-origin data theft—is severe in business context. The requirement for user interaction is a limiting factor, but given the ubiquity of web browsing, the probability of exploitation in most organizations is significant. Unpatched systems represent an immediate data-leakage risk, especially for users accessing sensitive web applications.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) accounts for network accessibility, low attack complexity, no privilege requirement, and user interaction requirement. However, only confidentiality is impacted (the 'C' component); integrity and availability are unaffected. This explains why the score is lower than the Chromium severity label (High), which weighs the security-boundary bypass more heavily. The business impact—cross-origin data leakage—is not fully captured by the CVSS metrics; organizations should treat this as higher-risk than the score alone suggests when users handle sensitive data in the browser.

Frequently asked questions

Can this vulnerability steal my passwords if I'm logged into a banking site?

Yes, potentially. If you have your bank open in one tab and visit a malicious site in another, the attacker can attempt to leak session tokens, cookies, or other data from the bank's page that resides in uninitialized memory accessible via graphics operations. This is why patching is urgent if you regularly access financial or healthcare portals.

Does this affect me if I only use Chrome on my phone?

The vulnerability affects Chrome on Windows, macOS, and Linux. Mobile versions of Chrome have separate code paths, but you should still update your mobile browser regularly as a security best practice. Verify the version of Chrome on your mobile device in its settings and enable automatic updates.

What's the difference between the CVSS score and Chromium's 'High' severity?

CVSS is a standardized metric that focuses on technical attributes like attack vector and impact scope. Chromium's severity rating weighs security-model violations and real-world risk more heavily. Here, the bug breaks the same-origin boundary—a foundational browser security guarantee—which justifies the High label despite the CVSS 4.3 rating. Both are useful; treat this as High-priority in your risk management.

If the KEV catalog doesn't list this, does it mean it's not being exploited?

The KEV catalog tracks vulnerabilities with evidence of active exploitation in the wild. Absence from the catalog does not guarantee no exploitation is occurring; it reflects what has been publicly reported or observed by U.S. government agencies and partners. You should still patch promptly based on the technical severity and business impact, not the KEV status alone.

This analysis is based on the vulnerability record published on 2026-05-28 and last modified on 2026-06-17. Patch version numbers and affected products are sourced from official vendor advisories; verify them directly with Google Chrome and your operating system vendor before deploying patches. This explainer does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their environment, user behavior, and data sensitivity. No exploit code or weaponized proof-of-concept is provided. SEC.co and this analysis assume no liability for decisions made in reliance on this content. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).