Description
Integer overflow in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from an integer overflow in the ANGLE component of Google Chrome for Windows, allowing a remote attacker who has already gained control of the renderer process to read sensitive data from process memory through a specially crafted HTML page. The flaw permits disclosure of potentially confidential information, posing a medium severity risk to affected users.

Affected Systems

Google Chrome running on Windows systems with versions earlier than 149.0.7827.53 is susceptible. The impact is confined to the compromised renderer process, which would typically occur in the context of a user visiting a malicious web page or executing a malicious extension.

Risk and Exploitability

The exploit requires the attacker to already have control of the renderer process, implying a prior compromise or successful exploitation of another vulnerability. EPSS is < 1% and the issue is not listed in CISA KEV, suggesting limited widespread exploitation. The CVSS score of 5.3 indicates medium severity, and given the need for an attacker foothold in the renderer process, the likelihood of exploitation remains moderate. The integer overflow permits an attacker to read arbitrary memory within the renderer, resulting in potential leakage of secrets or credentials.

Generated by OpenCVE AI on June 8, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Google Chrome update to at least version 149.0.7827.53 to patch the integer overflow and out-of-bounds memory access flaw (CWE-125, CWE-190, CWE-787).
  • Configure Chrome to run renderer processes with the least privileges possible and consider disabling hardware acceleration for untrusted content to mitigate potential memory disclosure caused by out-of-bounds read (CWE-125).
  • If an immediate update is not feasible, restrict or remove access to untrusted web content and monitor for anomalous renderer behavior, noting that this temporary workaround addresses the identified CWE weaknesses but does not fully resolve the vulnerabilities.

Generated by OpenCVE AI on June 8, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title ANGLE Integer Overflow Allows Renderer Process Memory Disclosure on Windows chromium-browser: Out of bounds memory access in ANGLE
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 07 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title ANGLE Integer Overflow Allows Renderer Process Memory Disclosure on Windows

Sat, 06 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Sat, 06 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in ANGLE Enabling Remote Memory Disclosure via Crafted HTML in Google Chrome on Windows

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in ANGLE Enabling Remote Memory Disclosure via Crafted HTML in Google Chrome on Windows
Weaknesses CWE-190

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T12:37:28.812Z

Reserved: 2026-06-04T17:06:25.775Z

Link: CVE-2026-10999

cve-icon Vulnrichment

Updated: 2026-06-06T16:47:06.153Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:03.617

Modified: 2026-06-08T13:16:30.613

Link: CVE-2026-10999

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10999 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T15:45:06Z

Weaknesses