CVE-2026-11090 - Vulnerability Details

Description

Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-06-04

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An uninitialized use bug in the ANGLE graphics library within Chrome enabled a remote attacker to read cross‑origin data from a crafted HTML page. This flaw allows unauthorized disclosure of information from web pages that do not share the same origin, resulting in a data breach without providing code execution capabilities.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability resides in the ANGLE component and is addressed in Chrome 149.0.7827.53 and later releases.

Risk and Exploitability

The flaw can be exploited by hosting a malicious web page that the victim loads in Chrome. Because the attack requires only a crafted page, the likely vector is a user visiting a site or clicking a link. The EPSS score is not available, but the Chromium severity rating is Medium, indicating a significant impact on confidentiality. This vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`149.0.7827.53`	affected	< 149.0.7827.53

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[149.0.7827.53,149.0.7827.53)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Chrome to version 149.0.7827.53 or later
Enable automatic updates to receive future security patches
If updating is not immediately possible, restrict cross‑origin resource sharing and avoid visiting untrusted web pages

Generated by OpenCVE AI on June 5, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/500161302

History

Fri, 05 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Title		Uninitialized Use in ANGLE Causing Cross‑Origin Data Leak in Google Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses		CWE-457
References		https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500161302

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:04:52.227Z

Updated: 2026-06-04T23:04:52.227Z

Reserved: 2026-06-04T17:06:47.773Z

Link: CVE-2026-11090

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-04T23:17:13.930

Modified: 2026-06-05T15:02:59.990

Link: CVE-2026-11090

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T06:15:33Z

Weaknesses

CWE-457

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object