Google Chrome, Out-of-bounds Read, CVE-2026-11006 (Medium) -DC-Jun2026-270

By /

Listen to this Post

CVE-2026-11006 is a medium‑severity vulnerability in Google Chrome’s Dawn engine – the open‑source, cross‑platform implementation of the WebGPU standard. All Chrome versions prior to 149.0.7827.53 are affected. The flaw allows a remote attacker to trigger an out‑of‑bounds memory read by luring a victim to a specially crafted HTML page.
Dawn is the component that translates WebGPU API calls into native GPU commands (using D3D12, Metal, Vulkan, OpenGL). To process GPU resources, Dawn manages internal buffers that hold indices, offsets, or shader data. The vulnerability stems from a missing or insufficient boundary check when handling a dynamically sized “buffer handle” or a “dynamic offset” during a GPU operation.
Specifically, when a WebGPU command uses a dynamic offset to index into a buffer, the code copies the buffer’s handle and updates its associated data. If the attacker can control the offset and the buffer’s length, they can force the engine to read past the allocated region. The issue is triggered when the offset plus the read size exceeds the buffer’s real capacity, but the engine proceeds with the operation because the validation logic fails to cap the offset properly. This results in a CWE‑125 out‑of‑bounds read.
Because the read occurs inside the renderer process, which is normally sandboxed, the impact is limited to confidentiality – the attacker can leak in‑process memory contents that may contain cross‑origin data, security tokens, or other sensitive information. The flaw cannot directly write memory or break out of the sandbox, which is why Chromium rates it as Medium. However, an out‑of‑bounds read can still be chained with other vulnerabilities to increase the attack surface. The attack is entirely remote: the victim must visit a malicious web page, and no special privileges are required.
The Chromium security team addressed the issue by adding a strict bounds check before the memory operation. In the patched version, the engine validates that `offset + requested_size ≤ buffer_size` and rejects any command that would exceed the buffer. The fix was included in Chrome 149.0.7827.53, which was released to the stable channel on June 4, 2026.

DailyCVE Form:

Platform: Google Chrome
Version: prior 149.0.7827.53
Vulnerability: Out-of-bounds read
Severity: Medium (6.5 CVSS)
date: 2026‑06‑04

Prediction: 2026‑06‑04 (already patched)

What Undercode Say:

Check current Chrome version
google-chrome --version
Force update to latest stable
google-chrome --update
List Dawn-related shared objects
ls -la /opt/google/chrome/libdawn
Grep for out-of-bounds patterns in Dawn source (example)
grep -r "out of bounds" /path/to/dawn/src/
Simulate a boundary violation with a simple WebGPU snippet (conceptual)
echo "const buffer = device.createBuffer({ size: 64, usage: GPUBufferUsage.STORAGE });" \
"device.queue.writeBuffer(buffer, 128, new Uint8Array(1));" \

<blockquote>
  test_bad_offset.js

Exploit:

The attacker crafts an HTML page that:

  1. Requests a WebGPU device and creates a storage buffer of size N (e.g., 64 bytes).
  2. Issues a `writeBuffer` or a draw command with a dynamic offset O where O + read_length > N.
  3. The Dawn engine, before the patch, does not validate the bound. It copies the buffer handle and updates its internal metadata, but then proceeds to read outside the allocated region.
  4. The out‑of‑bounds read leaks the adjacent memory content. The attacker receives this leaked data, potentially including cross‑origin information or addresses that defeat ASLR.
  5. The exploit is delivered via a malicious website or ad, requiring only that the victim has an affected Chrome version and visits the page.

Protection:

  • Upgrade immediately to Chrome 149.0.7827.53 or later.
  • Enable automatic updates in Chrome (Settings → About Chrome → Automatic updates for Chrome).
  • Use Chrome’s Safe Browsing feature to block known malicious sites.
  • For enterprises, consider deploying a group policy that forces the latest version and blocks outdated builds.
  • As a workaround, disable WebGPU support via `chrome://flags/enable-webgpu` if the risk cannot be mitigated immediately.

Impact:

  • Confidentiality: An attacker can read arbitrary memory within the renderer process, potentially exposing cross‑origin data, cookies, passwords, or memory layout information that aids further exploitation.
  • Availability: The out‑of‑bounds read can cause a segmentation fault or crash, leading to denial of service.
  • Integrity: None directly, because the vulnerability is read‑only.
  • Attack Complexity: Low – the attacker only needs to serve a crafted HTML page and convince the victim to visit it.
  • Privileges Required: None.
  • User Interaction: Required – the victim must navigate to the malicious page.
    The vulnerability is not known to be exploited in the wild (no CISA KEV entry) and no public exploit code has been released as of June 8, 2026.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top