Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Cross-origin data leakage in Google Chrome's ANGLE graphics layer on Windows allows a remote unauthenticated attacker to read sensitive cross-origin memory contents by delivering a crafted HTML page to a victim. Affected are all Chrome versions on Windows prior to 149.0.7827.53. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction library. No public exploit has been identified at time of analysis, EPSS is very low at 0.03% (11th percentile), and the vulnerability is not listed in the CISA KEV catalog, consistent with the vendor's own 'Low' severity rating.
Technical ContextAI
ANGLE (Almost Native Graphics Layer Engine) is the open-source graphics library embedded in Chromium that translates OpenGL ES API calls into platform-native graphics APIs - on Windows, this means Direct3D. CWE-457 (Use of Uninitialized Variable) describes a class of vulnerability where memory buffers are allocated but not zeroed or fully written before being read or referenced. In this context, ANGLE processes attacker-controlled graphics primitives from a crafted HTML page; residual heap or stack memory from prior allocations - potentially containing cross-origin pixel data, GPU buffer contents, or other sensitive in-process material - can be exposed to the attacking origin through the rendering pipeline. The Chromium security issue tracker reference (issues.chromium.org/issues/500528706) and the advisory from chrome-cve-admin@google.com confirm this is a Chromium-tracked defect. The Windows-specific scope is consistent with ANGLE's Direct3D translation path, which differs from its behavior on other platforms.
RemediationAI
The primary fix is to update Google Chrome on Windows to version 149.0.7827.53 or later, which is confirmed as the patched stable channel release per the Google Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism will deliver this patch to most managed and consumer endpoints automatically; administrators should verify via chrome://settings/help or fleet management tools that all Windows endpoints have reached this version. No specific workaround is documented by the vendor. As a compensating control for environments unable to immediately patch, restricting navigation to untrusted external web content via enterprise policy (e.g., Chrome's URL blocklist or network-level web filtering) would reduce exposure, though this may impact legitimate browsing. Disabling JavaScript or sandboxed rendering is not a practical mitigation for typical deployments.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34729
GHSA-cr8x-3cwc-9cpg