Description
Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uninitialized Use in ANGLE, a graphics library component of Google Chrome, permits a browser to read memory that has not been properly initialized. When a malicious HTML page is loaded, the uninitialized memory can reveal sensitive data from other origins, effectively leaking cross‑origin content and compromising confidentiality. The weakness falls under CWE‑457. The vulnerability allows a remote attacker to obtain information that would otherwise be protected by the same‑origin policy, potentially exposing user data or web application state.

Affected Systems

The flaw affects Google Chrome versions older than 149.0.7827.53, including releases in the 149.x series. Any user running one of these affected builds on Windows, macOS, or Linux is susceptible. Users of Chrome Canary or other experimental tracks that have not yet received the patch are also at risk.

Risk and Exploitability

The Chrome developers have classified the issue as medium severity. No public exploit code or proof‑of‑concept was reported at the time of this advisory, and the EPSS score is currently unavailable, suggesting limited exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. However, because the flaw can be triggered by a crafted web page, a determined adversary could target sandboxed users or in‑transit traffic via phishing or compromised sites. Given the absence of a known exploit, organizations should treat this as a moderate risk but still apply the official fix promptly.

Generated by OpenCVE AI on June 5, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • If an immediate upgrade is not possible, disable ANGLE usage by launching Chrome with the flag ‑‑disable-angle, which forces the use of the legacy GDI implementation.
  • Apply strict Content Security Policy headers on web services to prevent cross‑origin data exposure, and verify same‑origin enforcement in your application code.

Generated by OpenCVE AI on June 5, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Uninitialized Variable in ANGLE

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:15.432Z

Reserved: 2026-06-04T17:10:26.501Z

Link: CVE-2026-11138

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:19.980

Modified: 2026-06-04T23:17:19.980

Link: CVE-2026-11138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:15:25Z

Weaknesses