MEDIUM 6.5

CVE-2026-9953: Chrome ANGLE Out-of-Bounds Memory Read Information Disclosure

CVE-2026-9953 is a memory safety bug in the ANGLE graphics library used by Google Chrome that allows an attacker to read sensitive data from the browser process. An attacker can craft a malicious HTML page that, when visited by a user, exploits an out-of-bounds read to leak information like passwords, session tokens, or other confidential data stored in Chrome's memory. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require special privileges and works across Windows, macOS, and Linux. Google has assigned it high severity within Chromium's security framework.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is an out-of-bounds read in ANGLE (Almost Native Graphics Layer Engine), the DirectX abstraction layer that Chrome uses for GPU-accelerated graphics rendering. An attacker-controlled HTML page can trigger a memory read operation that accesses data beyond the intended buffer boundary in the graphics processing pipeline. The flaw is catalogued as CWE-125 (Out-of-bounds Read). Because the read occurs during graphics processing initiated by page content, the attacker can orient what data is exposed through careful crafting of rendering commands. The vulnerability was patched in Chrome 148.0.7778.216 and later versions.

Business impact

Organizations with employees using unpatched Chrome browsers face potential credential theft, session hijacking, and extraction of sensitive application data. In industries handling regulated data (finance, healthcare, government), a memory leak of this type could result in compliance violations and breach notification obligations. The attack surface is broad—any user visiting a compromised or attacker-controlled website is at risk during normal browsing. The lack of KEV status indicates this has not yet been observed in active exploitation campaigns, but the low barrier to attack (only user interaction required) means adoption by threat actors is possible.

Affected systems

Google Chrome versions prior to 148.0.7778.216 are affected across Windows, macOS, and Linux platforms. The vulnerability resides in ANGLE, which is integral to Chrome's rendering engine, so all Chrome installations on these operating systems using affected versions are in scope. Other Chromium-based browsers (Edge, Brave, Opera, etc.) may also be affected depending on their build version and whether they use the vulnerable ANGLE code; vendors should be contacted individually for confirmation.

Exploitability

The vulnerability is exploitable with low complexity and no special privileges. An attacker only needs to host a malicious HTML page and convince or trick a user into visiting it—no user privileges or local access are required. The attack is triggered remotely via the network. However, it does require user interaction (the user must visit the page), which is a minor friction point. Given the ease of delivering HTML payloads and the ubiquity of phishing and watering hole attacks, this should be considered readily exploitable in real-world conditions.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. Chrome auto-updates by default, but users should verify they are on the latest version by navigating to chrome://settings/help. For managed environments, deploy the update via group policy or your device management platform. If you use a Chromium-based browser other than Chrome, contact that vendor for patch availability and deploy accordingly. No workarounds are available; patching is the only mitigation.

Patch guidance

Deploy Chrome 148.0.7778.216 or any subsequent version. Most users will receive this update automatically; however, enterprise administrators should verify rollout within their environment and consider forced distribution if auto-update is disabled. Prioritize desktop endpoints with high exposure to untrusted web content. Test the patch in a limited set of devices before organization-wide deployment to confirm compatibility with critical web applications. Chromium-based browser vendors should be queried for their patch timeline and deployment guidance.

Detection guidance

Monitor Chrome process memory for unusual access patterns or crashes related to GPU/graphics processing, though this is difficult to detect at runtime. At the network level, watch for traffic to known malicious hosting sites. In incident response, examine browser history and recent page visits for links leading to suspicious domains. Endpoint detection and response (EDR) tools may flag attempts to trigger graphics buffer overruns if configured for graphics API anomalies. However, detection of actual exploitation in the wild is challenging without memory dumps from affected processes. Focus on proactive patching and user awareness rather than reactive detection.

Why prioritize this

Although the CVSS score is medium (6.5), the practical risk is elevated. The vulnerability enables information disclosure from a widely used application (Chrome) affecting billions of users. The low barrier to exploitation (only user interaction) combined with high impact (sensitive data theft) warrants rapid patching. The absence of KEV status suggests no active exploitation yet, which provides a narrow window to patch before threat actors weaponize this flaw. Organizations should treat this as high priority despite the medium CVSS score.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects a network-based attack with low complexity, no privileges required, and user interaction, but with high confidentiality impact and no integrity or availability impact. The score appropriately captures the information disclosure nature of the flaw. However, the Chromium project's internal 'High' severity designation indicates Google's security team views this as more serious, likely due to the ubiquity of Chrome and the ease of delivering malicious HTML at scale. Organizations should weigh both the CVSS metric and the contextual business risk when prioritizing.

Frequently asked questions

Can this vulnerability steal my passwords directly?

The vulnerability itself cannot selectively steal passwords. Instead, it allows an attacker to read arbitrary data from Chrome's process memory. If your passwords are decrypted and resident in memory at the time of exploitation, they could be exposed. However, modern password managers and Chrome's own credential storage use encryption and keep sensitive data out of the main heap, reducing but not eliminating risk.

Will auto-update protect me without any action?

Chrome auto-updates in the background by default, and you will receive version 148.0.7778.216 or later automatically. However, the update only takes effect after a browser restart. Users should restart Chrome promptly after seeing an update notification. In enterprise environments, verify that auto-update is enabled and monitor patch deployment metrics.

Are Chromium-based browsers like Edge and Brave affected?

Potentially yes, but it depends on their build version and whether they've pulled the vulnerable ANGLE code from the Chromium upstream repository. Each vendor has its own release schedule and patch timeline. Check with Microsoft (Edge), the Brave project, and other vendors for specific guidance on whether they are affected and when patches are available.

What should I do if I cannot patch immediately?

While no perfect workaround exists, minimize risk by avoiding untrusted websites and suspicious links, disabling JavaScript if feasible (though this breaks many sites), and using a secondary browser for high-risk browsing. However, these are weak mitigations. Patching should be completed as soon as possible, ideally within days rather than weeks.

This analysis is provided for informational purposes and reflects publicly disclosed information as of the publication date. The vulnerability details, affected versions, and patch information are based on vendor advisories and CVE records. Organizations should verify patch availability and compatibility with their environment before deployment. No liability is assumed for the accuracy or completeness of this information, and security decisions should be made in consultation with qualified security personnel and the relevant vendors. This document does not constitute professional security advice and should not be treated as a substitute for formal vulnerability management processes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).