← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-11111 · CWE-125 · Disclosed 2026-06-04

Out of bounds read in ANGLE in Google Chrome prior to 149

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a cracked peephole in the browser sandbox, not an unlocked front door

CVE-2026-11111 is an out-of-bounds read in Chrome's ANGLE graphics translation layer affecting Google Chrome versions before 149.0.7827.53. In plain English: a malicious page can feed malformed content to the GPU/graphics path and make the browser read memory it should not read, which can disclose data from the affected process and may also crash the tab or browser.

The vendor baseline of HIGH 8.1 overstates the enterprise patching urgency for the standalone bug. The real-world chain still needs user interaction, lands in a client-side browser context, and the public description says read, not reliable code execution. Without active exploitation, public weaponization, or a demonstrated sandbox escape chain, this behaves more like a medium-priority browser hardening fix than a fleet-wide fire drill.

"This is a browser-side info leak with user interaction and no exploit evidence, not a drop-everything emergency."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Malicious site delivers a crafted HTML/WebGL payload

The attacker needs to get a target user onto an attacker-controlled or attacker-influenced web page that exercises ANGLE through crafted HTML and graphics content. In practice this is a browser exploit delivery problem, not an internet-exposed service problem, and the weaponized "tool" is simply the hostile page content described in the Chrome advisory.
Conditions required:
  • Target is running Google Chrome earlier than 149.0.7827.53
  • User visits attacker-controlled content
  • The vulnerable graphics path is reachable on that platform/profile
Where this breaks in practice:
  • Requires UI:R; there is no unauthenticated server-side reachability
  • Enterprise safe browsing, URL filtering, and user behavior controls reduce success rate
  • Some managed environments disable or constrain risky browser graphics features
Detection/coverage: Traditional network scanners will miss this. Browser version inventory and EDR/browser telemetry are the primary coverage points.
STEP 02

ANGLE reads beyond intended bounds

Once the crafted content is rendered, the bug can trigger an out-of-bounds read in ANGLE. The effective weapon is the malformed rendering workload itself; unlike a classic RCE primitive, the public record only describes unintended memory read, which is usually more useful for information disclosure than direct takeover.
Conditions required:
  • The crafted page must hit the exact vulnerable code path
  • Browser mitigations do not fully blunt the memory disclosure
Where this breaks in practice:
  • Modern Chrome hardening and allocator defenses often make memory bugs less deterministic
  • Read-only primitives are materially less valuable than write or control-flow primitives
Detection/coverage: Crash telemetry may catch failed attempts, but successful memory disclosure is usually quiet. There is no reliable signature-based network detection for the primitive itself.
STEP 03

Attacker harvests process memory or pairs the leak with another bug

Best-case impact for the attacker is memory disclosure from the compromised browser context, which can expose sensitive data and sometimes help build a later-stage exploit chain. To become truly severe in enterprise terms, this bug usually needs a second primitive such as renderer escape, sandbox escape, or a stronger memory corruption bug.
Conditions required:
  • Valuable secrets or exploit-relevant memory are present in the affected process
  • Attacker can exfiltrate disclosed data
  • For major compromise, a second vulnerability is available
Where this breaks in practice:
  • Chrome's multi-process architecture and sandboxing constrain blast radius
  • Standalone out-of-bounds read does not imply reliable code execution
  • No public evidence in the cited sources of in-the-wild chaining for this CVE
Detection/coverage: EDR may see abnormal browser child-process behavior if chained further, but the pure info-leak stage has poor direct detection.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence found in the sources reviewed. CISA KEV does not list CVE-2026-11111.
Proof-of-concept availabilityNo public PoC located in the reviewed sources. The public bug reference exists (Chromium issue 500530720), but public exploit material was not evident.
EPSS0.00035 (~0.035%) with percentile about 10.8% in the CIRCL/Vulnerability-Lookup enrichment. That is low and argues against emergency exploitation pressure.
KEV statusNot KEV-listed as of the catalog checked. No CISA due date applies.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H from the user-supplied intel. The important real-world brake is UI:R: the attacker must win a browsing event, not hit an exposed service.
Affected versionsGoogle Chrome before 149.0.7827.53. This is a desktop browser release train issue, not a server product exposure problem.
Fixed versionUpgrade to 149.0.7827.53 or later. Chrome Releases notes 149.0.7827.53/.54 for some desktop platforms; the CVE record references 149.0.7827.53 as the cutoff.
Scanning and exposure dataShodan/Censys-style internet exposure data is not very meaningful here because this is a client-side browser flaw. What matters is endpoint browser-version inventory, auto-update health, and relaunch compliance.
Disclosure date2026-06-04 in the CVE record metadata; Google's stable desktop update followed in early June 2026.
Reporter / researcherNot publicly named in the reviewed advisory material. The public references point to Chrome's release note and Chromium issue tracker entry rather than a credited external researcher.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is attacker position: this bug requires a user to browse to hostile content on a vulnerable endpoint, which sharply narrows reach compared with remotely reachable server software. On top of that, the public description is an out-of-bounds read in a sandboxed browser architecture with no public exploitation evidence, which keeps it out of the top patch tier.

HIGH Affected version boundary and fixed version
MEDIUM Exploitability and real-world impact as a standalone bug

Why this verdict

  • Downward adjustment: requires user interaction. UI:R means the attacker must first win a browsing event, phishing click, or ad-driven visit; this is not an unauthenticated internet-reachable service exploit.
  • Downward adjustment: browser-side blast radius. The affected population is limited to endpoints running vulnerable Chrome, and compromise starts in a sandboxed browser process rather than directly on a business-critical server.
  • Downward adjustment: read primitive, not proven RCE. Publicly described impact is out-of-bounds read / memory disclosure, which is materially weaker than a demonstrated write primitive or code-execution chain.
  • Downward adjustment: no KEV, no public PoC, very low EPSS. With EPSS 0.00035 and no known in-the-wild exploitation, threat pressure is low right now.
  • Residual risk keeps it above LOW. Chrome is ubiquitous, exploit delivery is just a web page, and memory disclosure bugs can become chainable components in larger browser exploit kits.

Why not higher?

It is not higher because the chain has multiple real-world brakes: user interaction, client-side targeting, and a read-only public impact description. If this were already being exploited, KEV-listed, or paired publicly with a sandbox escape, the score would move up fast.

Why not lower?

It is not lower because Chrome is everywhere and the exploit delivery mechanism is low-friction once a victim lands on a hostile page. Even a read primitive in a modern browser can enable data exposure or serve as a building block in a more dangerous exploit chain.

05 · Compensating Control

What to do — in priority order.

  1. Force Chrome auto-update and relaunch compliance — Use enterprise browser management to verify clients move to 149.0.7827.53 or later and actually relaunch into the fixed build. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but because browser patching is low-friction you should clean this up in your normal endpoint cycle, not let it age.
  2. Reduce risky browsing on privileged workstations — Keep administrators and high-value users off general web browsing profiles or move them to hardened jump/admin workstations. This shrinks the odds that a hostile page can reach a privileged user's browser while you complete patch rollout; again, there is no mitigation SLA for this severity, so use it as risk reduction rather than as a substitute for patching.
  3. Disable unnecessary hardware acceleration or WebGL on tightly controlled tiers — Where line-of-business apps do not require advanced browser graphics, disable or restrict GPU-accelerated rendering and WebGL through policy on especially sensitive asset groups. This can reduce reachability into ANGLE, but validate business impact first because it is a temporary containment measure, not a universal enterprise setting.
  4. Watch browser crash and exploitation telemetry — Review EDR, browser management, and crash telemetry for unusual spikes tied to Chrome rendering crashes after June 2026 disclosure. That will not prevent the bug, but it gives you signal if exploitation attempts start showing up before patch coverage is complete.
What doesn't work
  • A WAF does not meaningfully help because the vulnerable component is the client browser, not your web application edge.
  • External vulnerability scanners are poor coverage here; they cannot infer a user's Chrome build or whether the browser has actually relaunched into the fixed version.
  • Relying on network perimeter blocking alone is weak because exploit delivery can come from legitimate-but-compromised sites, malvertising, or user-approved destinations.
06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or through your software inventory agent. Invoke it with python3 check_chrome_cve_2026_11111.py on macOS/Linux or py check_chrome_cve_2026_11111.py on Windows; no admin rights are required for basic file/registry reads, though some locked-down endpoints may require elevated context for full coverage.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3\n# check_chrome_cve_2026_11111.py\n# Purpose: Detect whether locally installed Google Chrome is vulnerable to CVE-2026-11111\n# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN\n\nimport os\nimport platform\nimport re\nimport subprocess\nimport sys\n\nFIXED = (149, 0, 7827, 53)\n\ndef parse_version(text):\n    m = re.search(r'(\d+)\.(\d+)\.(\d+)\.(\d+)', text or '')\n    if not m:\n        return None\n    return tuple(int(x) for x in m.groups())\n\ndef cmp_ver(a, b):\n    return (a > b) - (a < b)\n\ndef try_cmd(cmd):\n    try:\n        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)\n        out = (p.stdout or '') + '\\n' + (p.stderr or '')\n        return out.strip()\n    except Exception:\n        return ''\n\ndef windows_candidates():\n    cmds = []\n    cmds.append([\n        'reg', 'query',\n        r'HKLM\\SOFTWARE\\Google\\Chrome\\BLBeacon',\n        '/v', 'version'\n    ])\n    cmds.append([\n        'reg', 'query',\n        r'HKCU\\SOFTWARE\\Google\\Chrome\\BLBeacon',\n        '/v', 'version'\n    ])\n    paths = [\n        os.path.expandvars(r'%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe'),\n        os.path.expandvars(r'%LocalAppData%\\Google\\Chrome\\Application\\chrome.exe'),\n    ]\n    return cmds, paths\n\ndef mac_candidates():\n    paths = [\n        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',\n        os.path.expanduser('~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'),\n    ]\n    return [], paths\n\ndef linux_candidates():\n    paths = [\n        '/usr/bin/google-chrome',\n        '/usr/bin/google-chrome-stable',\n        '/opt/google/chrome/chrome',\n        '/snap/bin/chromium',\n    ]\n    which_names = ['google-chrome', 'google-chrome-stable']\n    return which_names, paths\n\ndef get_version():\n    system = platform.system().lower()\n\n    if 'windows' in system:\n        cmds, paths = windows_candidates()\n        for cmd in cmds:\n            out = try_cmd(cmd)\n            ver = parse_version(out)\n            if ver:\n                return ver, 'registry'\n        for p in paths:\n            if os.path.exists(p):\n                out = try_cmd([p, '--version'])\n                ver = parse_version(out)\n                if ver:\n                    return ver, p\n        return None, ''\n\n    if 'darwin' in system or 'mac' in system:\n        _, paths = mac_candidates()\n        for p in paths:\n            if os.path.exists(p):\n                out = try_cmd([p, '--version'])\n                ver = parse_version(out)\n                if ver:\n                    return ver, p\n        return None, ''\n\n    which_names, paths = linux_candidates()\n    for name in which_names:\n        out = try_cmd(['sh', '-c', f'command -v {name}'])\n        bin_path = out.splitlines()[0].strip() if out else ''\n        if bin_path:\n            vout = try_cmd([bin_path, '--version'])\n            ver = parse_version(vout)\n            if ver:\n                return ver, bin_path\n    for p in paths:\n        if os.path.exists(p):\n            out = try_cmd([p, '--version'])\n            ver = parse_version(out)\n            if ver:\n                return ver, p\n    return None, ''\n\ndef main():\n    ver, source = get_version()\n    if not ver:\n        print('UNKNOWN: Google Chrome version not found on this host')\n        sys.exit(2)\n\n    found = '.'.join(str(x) for x in ver)\n    fixed = '.'.join(str(x) for x in FIXED)\n\n    if cmp_ver(ver, FIXED) < 0:\n        print(f'VULNERABLE: Google Chrome {found} detected from {source}; fixed version is {fixed} or later')\n        sys.exit(1)\n    else:\n        print(f'PATCHED: Google Chrome {found} detected from {source}; fixed version threshold is {fixed}')\n        sys.exit(0)\n\nif __name__ == '__main__':\n    main()\n
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull a browser-version report for all endpoints, identify Chrome installs below 149.0.7827.53, and fold them into your normal browser servicing ring. For a MEDIUM verdict there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤365 days, though in a mature enterprise there is no reason Chrome should sit unpatched that long, so finish the rollout in your next routine endpoint cycle and verify relaunch compliance rather than treating this as an emergency incident.

Sources

  1. Chrome Releases: Stable Channel Update for Desktop
  2. CVE Record at CVE.org
  3. NVD: CVE-2026-11111
  4. Vulnerability-Lookup / CIRCL entry
  5. Chromium Issue 500530720
  6. CISA Known Exploited Vulnerabilities Catalog
  7. GovCERT.HK advisory for Chrome 149 vulnerabilities
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.