Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15109

CVE-2026-15109: Google Chrome ANGLE Information Disclosure

CVE-2026-15109 is an information disclosure vulnerability in Google Chrome's ANGLE component that allows attackers to access sensitive process memory. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15109 Overview

CVE-2026-15109 is an uninitialized memory use vulnerability in ANGLE, the graphics abstraction layer used by Google Chrome to translate OpenGL ES calls to native graphics APIs. The flaw affects Chrome versions prior to 150.0.7871.115. A remote attacker can exploit the issue by serving a crafted HTML page, causing Chrome to read uninitialized process memory. This exposure can leak sensitive data residing in the renderer process. Google classifies the Chromium security severity as High. The weakness is categorized as [CWE-457] Use of Uninitialized Variable.

Critical Impact

Remote attackers can leak sensitive data from Chrome renderer process memory by luring users to a malicious web page rendered through ANGLE.

Affected Products

  • Google Chrome Desktop versions prior to 150.0.7871.115
  • ANGLE graphics component embedded in Chromium
  • Chromium-based browsers that ship the vulnerable ANGLE build

Discovery Timeline

  • 2026-07-08 - CVE-2026-15109 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-15109

Vulnerability Analysis

The vulnerability resides in ANGLE, which brokers WebGL and other graphics calls between the Chrome renderer and the host graphics stack. ANGLE fails to initialize a memory region before using it in a graphics operation. When JavaScript on an attacker-controlled page triggers the affected code path, the browser reads memory that still contains residual data from prior allocations.

The attacker cannot directly control the leaked bytes, but repeated calls allow them to sample memory across the renderer process. Leaked content may include pointers useful for bypassing Address Space Layout Randomization (ASLR), fragments of prior web content, authentication tokens, or session data. This class of bug is commonly chained with a separate memory corruption primitive to construct a full renderer exploit.

Root Cause

The root cause is a missing initialization step on a stack or heap buffer inside ANGLE before that buffer is consumed by a graphics API call. [CWE-457] weaknesses arise when developers assume allocated memory is zeroed or overwritten before use. In this instance, an ANGLE code path returns or forwards the buffer contents to the caller without first setting a defined value.

Attack Vector

Exploitation requires a victim to load a crafted HTML page in a vulnerable Chrome build. The page issues WebGL or Canvas operations that route through the affected ANGLE code path. No authentication or additional user interaction beyond page navigation is required. The vulnerability manifests remotely across the network attack surface. Technical specifics are tracked in the Chromium Issue Tracker Entry and the fix ships in the release documented in the Google Chrome Stable Update.

Detection Methods for CVE-2026-15109

Indicators of Compromise

  • Chrome browser processes running versions earlier than 150.0.7871.115 on endpoints reporting to inventory systems
  • Browser telemetry showing renderer crashes or anomalous WebGL API sequences originating from untrusted domains
  • Outbound connections from browser sessions to newly registered domains that serve WebGL-heavy pages

Detection Strategies

  • Inventory Chrome versions across managed endpoints and flag any host below 150.0.7871.115
  • Monitor for unusual WebGL shader compilation patterns and repeated readPixels-style operations in browser telemetry
  • Correlate renderer process anomalies with the browsing history of the affected user session

Monitoring Recommendations

  • Enable enterprise browser reporting to centralize Chrome version and crash data
  • Alert on Chrome processes performing unexpected memory reads or exhibiting repeated renderer crashes tied to a single origin
  • Track EPSS scoring updates for CVE-2026-15109 to detect shifts in exploitation likelihood

How to Mitigate CVE-2026-15109

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.115 or later on all managed endpoints
  • Restart Chrome after applying the update to ensure the patched ANGLE component loads
  • Push the update to Chromium-based browsers that consume upstream ANGLE fixes

Patch Information

Google addressed the uninitialized use in ANGLE in Chrome Stable 150.0.7871.115. Details of the release are documented in the Google Chrome Stable Update advisory. Administrators using enterprise deployment tooling should verify the patched version is present in their update channels and force a browser relaunch to activate the fix.

Workarounds

  • Disable hardware acceleration in Chrome to reduce reliance on ANGLE code paths until the update is deployed
  • Restrict WebGL usage through enterprise policy where feasible for high-risk user groups
  • Enforce strict site isolation and block navigation to untrusted domains via web filtering controls
bash
# Verify installed Chrome version on Linux
google-chrome --version

# Windows enterprise policy: disable hardware acceleration until patched
# HKLM\SOFTWARE\Policies\Google\Chrome
# HardwareAccelerationModeEnabled = 0 (DWORD)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.