Skip to main content

Google Chrome EUVDEUVD-2026-34729

| CVE-2026-11268 MEDIUM
Use of Uninitialized Variable (CWE-457)
2026-06-05 chrome-cve-admin@google.com GHSA-cr8x-3cwc-9cpg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.4 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:52 vuln.today
CVSS changed
Jun 05, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 05, 2026 - 00:17 nvd
MEDIUM 6.5
CVE Published
Jun 05, 2026 - 00:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome's ANGLE graphics layer on Windows allows a remote unauthenticated attacker to read sensitive cross-origin memory contents by delivering a crafted HTML page to a victim. Affected are all Chrome versions on Windows prior to 149.0.7827.53. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction library. No public exploit has been identified at time of analysis, EPSS is very low at 0.03% (11th percentile), and the vulnerability is not listed in the CISA KEV catalog, consistent with the vendor's own 'Low' severity rating.

Technical ContextAI

ANGLE (Almost Native Graphics Layer Engine) is the open-source graphics library embedded in Chromium that translates OpenGL ES API calls into platform-native graphics APIs - on Windows, this means Direct3D. CWE-457 (Use of Uninitialized Variable) describes a class of vulnerability where memory buffers are allocated but not zeroed or fully written before being read or referenced. In this context, ANGLE processes attacker-controlled graphics primitives from a crafted HTML page; residual heap or stack memory from prior allocations - potentially containing cross-origin pixel data, GPU buffer contents, or other sensitive in-process material - can be exposed to the attacking origin through the rendering pipeline. The Chromium security issue tracker reference (issues.chromium.org/issues/500528706) and the advisory from chrome-cve-admin@google.com confirm this is a Chromium-tracked defect. The Windows-specific scope is consistent with ANGLE's Direct3D translation path, which differs from its behavior on other platforms.

RemediationAI

The primary fix is to update Google Chrome on Windows to version 149.0.7827.53 or later, which is confirmed as the patched stable channel release per the Google Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism will deliver this patch to most managed and consumer endpoints automatically; administrators should verify via chrome://settings/help or fleet management tools that all Windows endpoints have reached this version. No specific workaround is documented by the vendor. As a compensating control for environments unable to immediately patch, restricting navigation to untrusted external web content via enterprise policy (e.g., Chrome's URL blocklist or network-level web filtering) would reduce exposure, though this may impact legitimate browsing. Disabling JavaScript or sandboxed rendering is not a practical mitigation for typical deployments.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-34729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy