VYPR
Vypr IntelligenceAI-generatedJun 4, 2026· 3 CVEs

Google ANGLE: Two Critical Sandbox Escapes and Data Leak Flaws Disclosed

Google's ANGLE graphics engine saw three vulnerabilities disclosed on June 4, 2026, including two critical flaws allowing sandbox escapes and one medium-severity data leak.

Key findings

  • Two critical ANGLE vulnerabilities (CVE-2026-10881, CVE-2026-11088) allow sandbox escapes.
  • A medium-severity flaw (CVE-2026-11090) enables cross-origin data leakage.
  • All three bugs were fixed in Google Chrome 149.0.7827.53.
  • The disclosures coincide with Chrome 149 patching a record 429 vulnerabilities.
  • AI is noted as a significant factor in the increased volume of vulnerability reports.

On June 4, 2026, a cluster of three vulnerabilities affecting Google's ANGLE graphics engine was disclosed, impacting Google Chrome. The disclosures include two critical severity flaws, CVE-2026-10881 and CVE-2026-11088, both rated at CVSSv3 9.6, and a medium severity data leak vulnerability, CVE-2026-11090.

These vulnerabilities were all fixed in Google Chrome version 149.0.7827.53. The disclosures align with a significant increase in vulnerability reporting, with Chrome 149 patching a record 429 security bugs, a number far exceeding previous releases. This surge is partly attributed to the increasing use of AI in vulnerability discovery and reporting, a trend noted by security researchers.

The most severe of the disclosed flaws, CVE-2026-10881, is an out-of-bounds read and write vulnerability within ANGLE. This could allow a remote attacker, via a specially crafted HTML page, to potentially escape Chrome's sandbox. SecurityWeek highlighted this as the most severe bug in the Chrome 149 update, noting its potential to achieve code execution.

Similarly, CVE-2026-11088, also rated critical, involves an integer overflow in ANGLE. While described as potentially leading to a sandbox escape, its Chromium security severity was noted as Medium. This suggests that while the potential impact is high, the exploitability or specific conditions required might be more constrained than other critical vulnerabilities.

The third vulnerability, CVE-2026-11090, is a medium-severity flaw related to uninitialized use in ANGLE. This could permit a remote attacker to leak cross-origin data through a malicious HTML page. While not as severe as the sandbox escape vulnerabilities, data leakage can still pose significant risks to user privacy and security.

All three vulnerabilities were addressed in Chrome 149.0.7827.53, which was released shortly after the disclosure window. Users are strongly advised to ensure their Chrome browsers are updated to this version or later to mitigate these risks. The simultaneous disclosure of these ANGLE-specific flaws underscores the ongoing importance of securing complex rendering engines within web browsers, especially as new discovery methods like AI accelerate the vulnerability disclosure cycle.

AI-written article. Grounded in 3 CVE records listed below.