CVE-2026-11268 · Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a craf

01 · The Real Story

This is a peephole in Chrome’s graphics plumbing, not a front-door break-in

CVE-2026-11268 is an uninitialized use bug in ANGLE on Google Chrome for Windows that affects builds prior to 149.0.7827.53. The attacker’s play is simple: get a user onto a crafted HTML page, exercise the browser’s graphics stack, and recover cross-origin data that should have stayed isolated. This is a confidentiality bug, not code execution, and the platform scope matters: the published description is Windows-specific.

Google’s MEDIUM / 6.5 rating is basically fair in enterprise reality. Chrome is everywhere, which keeps the baseline meaningful, but the chain has real friction: it needs user interaction, it is client-side, it appears limited to information disclosure, and there is no KEV listing, no public exploitation evidence, and no public PoC at time of review. That keeps it out of the emergency lane unless you run highly sensitive browser sessions on Windows endpoints.

"Client-side data leak, not foothold creation: patch it, but don't let a browser info-disclosure eat your urgent queue."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land the victim on a crafted page

The attacker needs a Windows user running vulnerable Chrome to open a malicious page. The page would use normal browser content plus JavaScript/WebGL activity to drive ANGLE code paths tied to the Chromium issue behind this CVE (issues.chromium.org/500528706). In practice this is a lure problem, not an internet-exposed service problem.

Conditions required:

Target is using Chrome on Windows
Chrome version is earlier than 149.0.7827.53
User visits attacker-controlled or attacker-influenced content

Where this breaks in practice:

Requires UI:R; no drive-by against a closed browser
Enterprise web filtering, Safe Browsing, and email/link controls cut down lure success
Windows-only scope narrows the reachable fleet

Detection/coverage: Network scanners will not find this. Detection is mainly asset/version visibility from EDR, browser management, or software inventory.

STEP 02

Trigger the ANGLE uninitialized read

Once the page is open, the exploit uses crafted rendering behavior to reach the uninitialized use condition in ANGLE. The goal is not to crash the browser but to read stale memory content that should not be exposed to page script. This is the classic memory-safety-to-disclosure pattern rather than a control-flow hijack.

Conditions required:

Relevant ANGLE code path is reachable in the target browser session
Exploit is tuned for the Windows Chrome build and runtime behavior

Where this breaks in practice:

Browser memory-layout variability can make disclosure bugs noisy and brittle
No public PoC suggests exploit development effort is non-trivial for opportunistic actors
Crash telemetry and browser instability can burn the attempt before useful data is recovered

Detection/coverage: Likely poor signature coverage. Browser crash spikes or renderer/GPU anomalies may show up in telemetry, but most vuln scanners will only flag the vulnerable version.

STEP 03

Turn stale memory into cross-origin data

The exploit then has to recover meaningful artifacts from leaked memory and prove they belong to another origin: response fragments, tokens, page content, or session-adjacent secrets. That is the real impact amplifier here. Without valuable material in memory, the bug is just a leak primitive with limited business value.

Conditions required:

Victim has sensitive web content active in the browser session
Leaked bytes are parseable and useful to the attacker

Where this breaks in practice:

Blast radius is limited to data present in that browser context, not arbitrary host takeover
Short-lived tokens, HttpOnly boundaries, and application-side reauth can reduce value
Many sessions simply will not hold high-value cross-origin material at the right moment

Detection/coverage: Difficult to detect directly. Focus on browser versioning plus downstream signs like suspicious session use or token abuse in SaaS logs.

STEP 04

Exfiltrate the recovered data

Finally, the malicious page sends recovered data back to attacker infrastructure over normal web traffic. At that point the browser flaw has already done its job; outbound HTTPS is just the exit channel. This is why the business risk hinges more on what users access in Chrome than on raw exploitability alone.

Conditions required:

Recovered data is valuable enough to exfiltrate
The page can make outbound requests or beacon through normal browser mechanisms

Where this breaks in practice:

DLP, proxy controls, and CSP/reporting can create partial visibility
Stolen data may still require follow-on abuse against protected apps with conditional access

Detection/coverage: Look for anomalous browser beacons to low-reputation domains, but expect low-fidelity detections. Version-based identification remains the primary control.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found at review time. It is not KEV-listed and I found no authoritative statement from Google or CISA indicating attacks in the wild. Sources: CISA KEV, Quanteta
Proof-of-concept availability	No public PoC located. The public reference trail points to the restricted Chromium tracker issue `500528706`, which is typical for Chrome bugs before broad patch uptake.
EPSS	0.00028 (~10.8th percentile as reflected by Quanteta). Translation: this is well below the profile of bugs that routinely turn into mass exploitation.
KEV status	No. No CISA Known Exploited Vulnerabilities listing as of 2026-06-06 review date. Source: CISA KEV Catalog
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N` maps cleanly to what this is: remote via web content, no auth, user interaction required, confidentiality-only impact. The important real-world brake is UI:R + client-side-only.
Affected versions	Google Chrome on Windows prior to `149.0.7827.53`. Google’s stable bulletin for Chrome 149 says Windows/Mac moved to `149.0.7827.53/.54`, while the CVE text itself explicitly scopes this flaw to Windows. Sources: Chrome Stable Update, Quanteta record
Fixed version	Patch floor is `149.0.7827.53` on Windows. For mixed desktop fleets, Google’s release note shows Windows/Mac `149.0.7827.53/.54` and Linux `149.0.7827.53`; for this CVE the relevant Windows safe floor is `.53` or later. Source: Chrome Stable Update
Scanning / exposure data	This is not meaningfully internet-enumerable through Shodan/Censys/FOFA the way a server CVE is. It is a browser client vulnerability, so exposure measurement should come from endpoint inventory, not internet scans. GreyNoise/Censys are still useful for campaign visibility generally, but they are the wrong primary lens here. Sources: GreyNoise, Censys Search
Disclosure timing	Publicly disclosed 2026-06-05; Google’s desktop stable update with the fix shipped 2026-06-02. That means patch availability preceded broad disclosure by a few days. Sources: Quanteta, Chrome Stable Update
Reporting / researcher	Public advisory metadata does not name an external researcher for this CVE. The public reference is the Chromium issue `500528706`; the stable-channel summary does not call this CVE out in the externally reported rewards section.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (5.8/10)

The decisive factor is that this bug is client-side information disclosure requiring user interaction, not unauthenticated server-side compromise. Chrome’s huge install base keeps it relevant, but the lack of code execution, lack of active exploitation evidence, and Windows-only scope keep it in MEDIUM.

HIGH Affected-version and fixed-version determination

MEDIUM Exploitability assessment without a public PoC

HIGH No KEV / no active-exploitation conclusion as of 2026-06-06

Why this verdict

Baseline starts at 6.5: Google/NVD already price in the serious part correctly — unauthenticated remote web content can cause cross-origin data disclosure.
Downward pressure: requires user interaction: the attacker must get a Windows user to open attacker-controlled content. That moves this from 'internet-reachable service bug' to 'lure-dependent client exploit'.
Downward pressure: no foothold creation: this is C:H / I:N / A:N. It can leak sensitive data, but it does not by itself hand over code execution or persistence on the endpoint.
Downward pressure: Windows-only scope: affected population is narrower than 'all Chrome everywhere', which matters in mixed OS fleets.
Downward pressure: no exploitation signal: no KEV, no public campaign reporting, no public PoC. That sharply reduces the odds of near-term broad weaponization versus higher-noise browser memory bugs.
Upward pressure: browser ubiquity and identity risk: if the victim is browsing high-value SaaS, a confidentiality-only bug can still expose session-adjacent material with real business impact.

Why not higher?

It is not higher because the chain lacks the two usual amplifiers that justify urgent browser work: active exploitation or code execution / sandbox escape. The attacker still has to win a lure, hit the right browser/runtime state, and extract useful cross-origin artifacts rather than simply take over the box.

Why not lower?

It is not lower because cross-origin data leakage in a modern enterprise browser is still meaningful, especially around SSO, admin consoles, and internal web apps. Chrome is broadly deployed, and even a confidentiality-only client bug can produce real account and data exposure when it lands on a privileged user.

05 · Compensating Control

What to do — in priority order.

Enforce Chrome version compliance — Use your browser management platform, EDR, or software inventory to find Windows Chrome < 149.0.7827.53 and ring-fence stragglers. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but in practice browsers should be cleaned up in normal desktop update cadence, not left to rot.
Prioritize high-value browsing populations — Move admins, finance users, executives, help-desk staff, and VDI/kiosk pools to the front of the rollout because their browser sessions are more likely to hold valuable cross-origin material. Again, there is no mitigation SLA for MEDIUM here; this is targeted risk reduction while patching proceeds.
Tighten web isolation for risky destinations — If you already run browser isolation, remote browsing, or strong category-based filtering for unknown sites, make sure it is actually applied to unmanaged and newly registered domains. This does not replace patching, but it reduces the chance the required lure step succeeds while you work through the remediation window.
Watch SaaS logs for token misuse — Because the likely impact is data or session-adjacent theft, monitor suspicious logins, impossible travel, fresh device enrollments, and token reuse for high-risk apps. This is the right detective control for a confidentiality bug; there is no mitigation SLA to hit first for MEDIUM.

What doesn't work

A WAF does not help; the vulnerable surface is the client browser, not your web server.
Perimeter internet scanners like Shodan/Censys will not tell you who is exposed; this is an endpoint version-management problem.
General OS hardening does not remove the bug; the exploit target is Chrome’s ANGLE component on Windows.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your software deployment/EDR remote shell. Invoke it as powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-11268.ps1; standard user rights are usually enough because it reads file metadata and common install paths. It prints VULNERABLE, PATCHED, or UNKNOWN and exits 1, 0, or 2 respectively.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-chrome-cve-2026-11268.ps1

# Checks whether Google Chrome on Windows is vulnerable to CVE-2026-11268

# Vulnerable if installed version is less than 149.0.7827.53

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'
$patchedFloor = [version]'149.0.7827.53'

function Get-ChromeVersion {
    $candidates = @(
        "$Env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$Env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$Env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    foreach ($path in $candidates) {
        if (Test-Path $path) {
            try {
                $item = Get-Item $path
                $ver = $item.VersionInfo.ProductVersion
                if (-not [string]::IsNullOrWhiteSpace($ver)) {
                    return [PSCustomObject]@{ Path = $path; Version = $ver }
                }
            } catch {
                continue
            }
        }
    }

    return $null
}

try {
    $chrome = Get-ChromeVersion

    if ($null -eq $chrome) {
        Write-Output 'UNKNOWN - Google Chrome not found in standard install paths'
        exit 2
    }

    try {
        $installed = [version]$chrome.Version
    } catch {
        Write-Output ("UNKNOWN - Unable to parse Chrome version '{0}' at {1}" -f $chrome.Version, $chrome.Path)
        exit 2
    }

    if ($installed -lt $patchedFloor) {
        Write-Output ("VULNERABLE - Chrome {0} at {1} is earlier than fixed version {2}" -f $installed, $chrome.Path, $patchedFloor)
        exit 1
    } else {
        Write-Output ("PATCHED - Chrome {0} at {1} meets or exceeds fixed version {2}" -f $installed, $chrome.Path, $patchedFloor)
        exit 0
    }
} catch {
    Write-Output ('UNKNOWN - ' + $_.Exception.Message)
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an inventory of Windows endpoints running Chrome earlier than 149.0.7827.53, with a separate lens for admins, executives, finance, support desks, VDI, and kiosk pools where browser sessions are likely to hold sensitive cross-origin material. For this MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means no mandatory temporary block deadline, but you should still clean this up in normal browser-update operations and complete full patching by 2027-06-05 under the noisgate remediation SLA.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.