Description
Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free bug in ANGLE, the graphics abstraction layer used by Chrome. It allows a malicious renderer that has already been compromised to access freed memory. The exploit can lead to a sandbox break, giving the attacker unauthorized system access. The weakness is classified as CWE‑416 and can result in both data theft and control over the affected system.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. This includes all stable desktop releases before that build. No specific operating system is limited; the issue exists across all platforms where ANGLE is enabled.

Risk and Exploitability

The CVSS score is unknown in the supplied data, but the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires a compromised renderer process and a crafted HTML page, the likelihood of exploitation is moderate to high where users are browsing potentially malicious content and the renderer is not fully sandboxed. The potential impact is significant, allowing remote code execution if the sandbox escape succeeds.

Generated by OpenCVE AI on June 5, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later, which contains the ANGLE use‑after‑free fix.
  • If upgrading immediately is not possible, temporarily disable ANGLE acceleration by navigating to About:flags and disabling the relevant flag, reducing the attack surface.
  • Configure Chrome to run with reinforced sandboxing policies and monitor for any anomalous renderer behavior through OS audit logs.

Generated by OpenCVE AI on June 5, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in ANGLE Enables Potential Sandbox Escape in Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:31.339Z

Reserved: 2026-06-04T17:06:35.584Z

Link: CVE-2026-11040

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:08.250

Modified: 2026-06-04T23:17:08.250

Link: CVE-2026-11040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses