Description
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uninitialized variable use in the ANGLE rendering engine of Google Chrome potentially exposes cross‑origin data. An attacker who can influence the renderer process, for example by loading a specially crafted page, may read information from sites that the user accesses, violating confidentiality. The weakness is a classic instance of CWE‑457, where use‑of‑uninitialized‐variable leads to undefined behavior that can be subverted for data leakage.

Affected Systems

Google Chrome browsers running versions earlier than 149.0.7827.53 are affected. The vulnerability is present in the ANGLE component used by the renderer process.

Risk and Exploitability

The flaw carries a Medium severity on Chromium’s internal scoring system. No EPSS data is available and the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to already compromise the renderer process, which typically means the user has been tricked into visiting a malicious page or has had local compromise. Once the renderer is under attacker control, crafted HTML can trigger the uninitialized variable use and leak cross‑origin data. The exploit is non‑interactive but relies on user navigation to a malicious page.

Generated by OpenCVE AI on June 5, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later where the ANGLE uninitialized‑variable bug has been fixed.
  • Enforce Chrome enterprise policies that limit renderer process capabilities, such as disabling ANGLE or using a stricter same‑origin policy, to reduce the attack surface if an update cannot be applied immediately.
  • Monitor browser usage for abnormal renderer activity and block or quarantine any suspicious HTML pages that may attempt cross‑origin data reads.

Generated by OpenCVE AI on June 5, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Uninitialized Variable in ANGLE

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:51.129Z

Reserved: 2026-06-04T17:06:47.128Z

Link: CVE-2026-11087

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:13.557

Modified: 2026-06-04T23:17:13.557

Link: CVE-2026-11087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses