Description
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uninitialized Use in ANGLE, a graphics component of Google Chrome, allows the browser to read memory that has not been properly initialized. This flaw can expose sensitive data that belongs to other origins, effectively violating the same‑origin policy. The weaknesses correspond to CWE‑457 and CWE‑824. The problem can be triggered when a crafted web page is loaded into the affected browser, potentially allowing an attacker to retrieve confidential data.

Affected Systems

The CVE identifies Google Chrome prior to version 149.0.7827.53 as the affected product. The notice does not differentiate among operating systems, so all builds of Chrome before that release are considered vulnerable unless the user has upgraded to a patched version.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS information (< 1%) and the fact that the vulnerability is not included in the CISA KEV catalog suggest low exploitation likelihood at present. The likely attack vector is a crafted HTML page, inferred from the description of a remote attacker triggering the flaw, although no public exploits have been reported. Organizations should monitor for new proof‑of‑concepts but consider the risk moderate and prioritize patching.

Generated by OpenCVE AI on June 7, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later
  • If an upgrade is not immediately feasible, restrict user access to untrusted websites that could provide crafted HTML content, using network filtering or internal policy controls
  • Enable Chrome’s Safe Browsing features and keep anti‑malware software up to date to reduce the chance of malicious pages exploiting the flaw

Generated by OpenCVE AI on June 7, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Uninitialized Use in ANGLE
Weaknesses CWE-824
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Uninitialized Variable in ANGLE

Sat, 06 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Uninitialized Variable in ANGLE

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-457
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T18:46:25.820Z

Reserved: 2026-06-04T17:10:26.501Z

Link: CVE-2026-11138

cve-icon Vulnrichment

Updated: 2026-06-06T03:43:11.455Z

cve-icon NVD

Status : Modified

Published: 2026-06-04T23:17:19.980

Modified: 2026-06-08T19:16:39.590

Link: CVE-2026-11138

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11138 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:15:46Z

Weaknesses
  • CWE-457

    Use of Uninitialized Variable

  • CWE-824

    Access of Uninitialized Pointer