Description
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient validation of untrusted input in ANGLE, the abstraction layer used by Chrome for graphics rendering, allows a memory read from the renderer process. This leads to potential leakage of sensitive information stored in process memory. The vulnerability is classified as medium severity by Chromium. The primary impact is the exposure of data that the attacker could use for further compromise or user privacy violation.

Affected Systems

The defect affects Google Chrome in all editions before 150.0.7871.47. Any user running a vulnerable version is at risk when a malicious or compromised renderer process is able to execute crafted HTML. The vulnerability is vendor‑specific to Chrome, with no other products listed. The problem was discovered in the ANGLE component of Chrome's rendering pipeline.

Risk and Exploitability

The CVSS score of 5.3 reflects medium severity for this vulnerability. EPSS is not available, and the flaw is not listed in the CISA KEV catalog. Because exploitation requires the attacker to have already compromised the renderer process, the attack vector is not a purely remote or user‑facing attack; it is effectively a privilege escalation within the browser context. The overall risk is medium; an exploit would be practical only in environments where renderer isolation is already bypassed.

Generated by OpenCVE AI on July 1, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 150.0.7871.47 or later to remove the input validation flaw
  • Ensure the browser’s automatic update mechanism is enabled so that future fixes are applied without manual intervention
  • If an update is temporarily unavailable, limit the rendering of untrusted content by disabling extensions that inject content or by site‑permissions to constrain rendering privileges

Generated by OpenCVE AI on July 1, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Flaw Leading to Memory Data Leakage in Chrome

Wed, 01 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Failure Exposing Render Process Memory

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Failure Exposing Render Process Memory

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:33:45.521Z

Reserved: 2026-06-29T23:03:40.067Z

Link: CVE-2026-13877

cve-icon Vulnrichment

Updated: 2026-07-01T01:33:38.924Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:30:05Z

Weaknesses
  • CWE-20

    Improper Input Validation