CVE-2026-9944: Chrome ANGLE Memory Leak Cross-Origin Data Disclosure
CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from uninitialized memory use (CWE-457) in ANGLE, Chrome's abstraction layer for graphics APIs. When the renderer process has been compromised by an attacker, they can supply a crafted HTML page that reads uninitialized memory regions containing cross-origin data. The Chromium security team classified this as High severity at the graphics layer level, though the CVSS score of 3.1 reflects the prerequisite that renderer compromise must already exist. The flaw allows information disclosure without code execution or data modification.
Business impact
For enterprise environments, this vulnerability poses a moderate but real information security risk. While it requires an existing renderer compromise, successful exploitation could expose sensitive user data from other websites—authentication tokens, personal information, or business data. Organizations relying on Chrome for business applications should prioritize patching, especially those handling sensitive data or operating in threat environments where renderer exploits are already circulating. The impact is confined to confidentiality; integrity and availability are not affected.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are affected across all major operating systems: Windows, macOS, and Linux. The vulnerability exists in ANGLE, which is integrated into Chrome's rendering engine, so any deployment of unpatched Chrome on these platforms is at risk. Other Chromium-based browsers may inherit similar exposure depending on their version and ANGLE integration; verify with your specific browser vendor.
Exploitability
Exploitation requires a two-stage attack: first, the attacker must compromise the Chrome renderer process through another vulnerability or attack vector (such as a site isolation bypass or prior renderer exploit). Second, they deliver a crafted HTML page to leak cross-origin data. The CVSS score of 3.1 reflects this high barrier to initial renderer compromise. Once renderer control is gained, however, exploitation of this flaw is straightforward. No active exploitation in the wild has been publicly disclosed, and the vulnerability is not tracked on the CISA KEV list.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Automatic updates are enabled by default in Chrome; verify successful deployment via the browser's About page (chrome://about). On managed deployments, push the update through your endpoint management system. No workarounds exist for unpatched versions, so timely patching is essential. Confirm the new version is running before resuming sensitive web-based activities.
Patch guidance
Chrome 148.0.7778.216 and later versions contain the fix. Deploy updates through Chrome's built-in update mechanism or via enterprise deployment tools (Google Admin Console, WSUS, etc.). Test the patch in a non-production environment first if your organization has strict change control policies. After deployment, audit endpoint telemetry to confirm version compliance. No rollback is necessary unless the patch introduces a regression; Chromium's rapid release cycle typically resolves any such issues within days.
Detection guidance
Monitor Chrome version numbers across your environment using endpoint detection and response (EDR) tools or mobile device management (MDM) platforms. Check running process versions via System Information or command-line tools (e.g., 'chrome.exe --version' on Windows). Log and alert on any instances of Chrome version < 148.0.7778.216. Additionally, monitor for unusual cross-origin data access patterns in application logs if you operate custom web applications; however, this is difficult without renderer-level instrumentation. Focus on ensuring version compliance as the primary control.
Why prioritize this
Despite the low CVSS score, prioritize this patch because it addresses a real information disclosure path in a widely deployed browser used for business applications. The prerequisite of renderer compromise prevents immediate risk, but the presence of actively exploited renderer vulnerabilities in the wild means this secondary vulnerability could rapidly become dangerous. Organizations with high data sensitivity or in mature threat environments should patch within 1–2 weeks; others within 30 days.
Risk score, explained
The CVSS 3.1 score of 3.1 (Low severity) reflects the requirement for pre-existing renderer compromise (Attack Vector: Network, Attack Complexity: High, Privileges: None, User Interaction: Required) and the information disclosure impact only (Confidentiality: Low, Integrity: None, Availability: None). However, this numeric score underrepresents business risk in sensitive environments where renderer exploits are known and actively exploited. Security teams should apply organizational context: data sensitivity, browser usage patterns, and threat modeling outcomes should drive priority higher than the base CVSS alone suggests.
Frequently asked questions
Do I need to patch this if I'm using a Chromium-based browser like Edge or Brave?
Check your browser vendor's security advisories. While Edge and Brave may use Chromium code, the timing and presence of the ANGLE fix varies. Microsoft and other vendors typically patch within weeks of Google's release. Verify your specific browser version against the vendor's advisory rather than relying on Chrome's patch date.
What is ANGLE and why does it matter?
ANGLE (Almost Native Graphics Layer Engine) is a graphics abstraction layer that Chrome uses to translate graphics API calls to the underlying OS (DirectX on Windows, Metal on macOS, etc.). Bugs in ANGLE affect rendering security and stability. This flaw specifically allows memory leaks through uninitialized graphics memory, a class of issue that graphics libraries are particularly prone to.
Can I disable graphics acceleration to avoid this vulnerability?
Disabling GPU acceleration in Chrome (via chrome://settings/system) would theoretically avoid ANGLE code paths, but this is not a supported workaround and will severely degrade performance. Patching is the proper remediation. Do not disable graphics acceleration as a security measure.
Why is this marked as Low severity when it leaks cross-origin data?
The Low score reflects the mandatory precondition: the attacker must first compromise the renderer process, which itself requires a separate vulnerability or attack. CVSS prioritizes exploitability from the network boundary; data leakage within an already-compromised process is a secondary impact. In your threat model, if renderer exploits are common or suspected, treat this as higher priority.
This analysis is provided for informational and defensive security purposes. SEC.co makes no warranty regarding the accuracy of vendor patch information or the completeness of affected product lists. Organizations should verify patch applicability against official vendor advisories and test in non-production environments before broad deployment. CVSS scores are reproduced from official sources and represent baseline severity; organizational context, threat models, and data sensitivity should inform final remediation priority. No exploit code or weaponized attack details are provided or implied. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable
- CVE-2026-9935MEDIUMChrome ANGLE Uninitialized Memory Leak – Cross-Origin Data Disclosure
- CVE-2026-9942MEDIUMANGLE Site Isolation Bypass in Chrome – Remediation Guide
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution