Google has released an emergency update for Chrome, version 149.0.7827.103, to plug a high-severity security hole that could let attackers read sensitive information straight out of your browser’s memory. Dubbed CVE-2026-11675, the flaw is an out-of-bounds read in Skia, the open-source 2D graphics library that powers Chrome’s rendering engine. The update started rolling out on June 10, 2026, and users are being urged to apply it immediately—an attacker merely needs to lure a victim to a malicious website to exploit the bug.
Inside the Vulnerability: What Skia Does and Why It Matters
Skia is the muscle behind every pixel you see in Chrome, from rendering web fonts to painting HTML canvases. It’s a C++ library maintained by Google and used across Chrome, Android, Flutter, and even some text editors. Because it deals with complex geometries and untrusted web content, any memory corruption bug in Skia is a golden ticket for attackers.
CVE-2026-11675 is an out-of-bounds (OOB) read vulnerability. In simple terms, when Chrome processes a specially crafted image or a maliciously designed CSS effect, Skia can accidentally read memory beyond the boundaries of an allocated buffer. This isn’t like a buffer overflow that lets an attacker write and execute code; instead, it leaks whatever data happens to sit next to that buffer in memory. In a web browser, that leaked data could include things like authentication cookies, session tokens, or even the contents of other webpages if certain isolation boundaries are weak.
Google hasn’t released full technical details until a majority of users update (a standard responsible‑disclosure practice), but the company’s internal severity rating classifies the bug as “High.” In Chrome’s security taxonomy, that means an attacker can compromise the confidentiality of user data without necessarily escaping the sandbox. Since it affects only the renderer process, the immediate impact is information disclosure rather than complete system takeover. However, in combination with a sandbox escape, a leaked crypto key or password could turn catastrophic.
The Attack Scenario: Renderer Compromise from a Single Click
The most likely attack vector is a drive‑by download: a user visits a crafted webpage, and malicious JavaScript or a rogue image tag triggers the Skia code path. Because the bug lives inside the renderer, no user interaction beyond browsing is required. The attacker could read arbitrary memory from the renderer process, potentially harvesting session identifiers for other sites or even Chrome’s internal bookmarks and history.
Enterprise environments face an elevated risk. A successful exploit could bypass network segmentation if the compromised endpoint is used to access internal corporate portals. The stolen credentials might then allow lateral movement. While Chrome’s sandbox architecture normally isolates renderers from the OS, a data leak at the renderer level still exposes everything that process has in memory—which, in Chrome’s multi‑process model, typically includes all tabs sharing that renderer process.
Security researchers have speculated that CVE-2026-11675 might be related to the way Skia handles SVG filters or anti‑aliased path rendering, both common sources of past OOB reads. In 2024, a similar Skia bug (CVE-2024‑9563) allowed a crafted CSS clip-path to read pixel data from outside a webpage’s visible area, effectively making it possible to spy on other open tabs. The new vulnerability appears broader, affecting any Skia‑backed rendering operation, which enlarges the attack surface dramatically.
Affected Versions and the Patch Timeline
All Chrome builds on Windows, macOS, and Linux prior to 149.0.7827.103 are vulnerable. The fix was included in a stable channel update on June 10, 2026. Google’s release blog post lists CVE-2026-11675 as the sole security fix in that release—a mark of how urgent the patch was.
| Platform | Affected Versions | Fixed Version |
|---|---|---|
| Windows | < 149.0.7827.103 | 149.0.7827.103 |
| macOS | < 149.0.7827.103 | 149.0.7827.103 |
| Linux | < 149.0.7827.103 | 149.0.7827.103 |
| Android | versions < 149.0.7827.103 (Chrome for Android) | 149.0.7827.103 |
| iOS | versions < 149.0.7827.103 (Chrome for iOS) | 149.0.7827.103 |
The update is delivered through Chrome’s built‑in auto‑update mechanism. Most users will receive it silently within days, but those who have disabled automatic updates or are running older Linux distributions that rely on standalone packages must update manually. Enterprise administrators should prioritize this patch via their management consoles (e.g., Group Policy on Windows, plist on macOS).
Chromium‑based browsers like Microsoft Edge, Brave, and Opera will likely inherit the fix in their next respective releases, as they share the Skia library. However, no official statements from those vendors have been made at the time of writing.
Community and Security Expert Reactions
Although there is no public exploit code yet, the infosec community has already sounded alarms. “Out‑of‑bounds reads in graphics libraries are deceptively dangerous,” said Katja Orellana, a researcher at Cyphra. “You don’t need to escape the sandbox to steal credentials if the renderer already holds them. We’ve seen this attack pattern weaponized before, and with Chrome’s share of the browser market, the potential victim pool is enormous.”
On Twitter, the vulnerability has reignited debates about the safety of C++ in user‑facing code. Skia, like many performance‑critical libraries, is written in C++ without runtime bounds checking by default. While Google employs extensive fuzzing and static analysis, bugs still slip through. The Chromium project has been gradually migrating new code to Rust—a memory‑safe language—but Skia remains a massive C++ codebase.
For Windows users specifically, the bug highlights a persistent tension: Chrome’s sandbox on Windows is robust, but renderer memory disclosure still undermines the Same‑Origin Policy if two sensitive pages share a renderer process. Enabling Strict Site Isolation (chrome://flags#enable-site-per-process) forces Chrome to run each site in its own process, effectively containing the damage of such a bug. This setting is already enabled by default on some platforms but not all; users can verify it at chrome://process‑internals.
Immediate Steps to Protect Yourself
- Update Chrome now. Go to chrome://settings/help and ensure the version number begins with 149.0.7827.103. If it doesn’t, restart the browser to apply the pending update.
- Enable automatic updates and avoid disabling the Google Update services. Those services check for patches multiple times a day.
- Consider enabling Strict Site Isolation if your system has sufficient RAM. This can be toggled in chrome://flags.
- Be cautious with extensions. Extensions can sometimes widen the attack surface; review your installed extensions and remove any you don’t need.
- Corporate IT teams should push the update immediately via WSUS or MDM, and scan network logs for unusual cross‑origin requests that might indicate an exploit attempt.
The Bigger Picture: Chrome’s Endless Patch Cycle
CVE-2026-11675 is the 15th high‑severity Chrome bug patched in 2026, a number that underscores the browser’s complexity. Each release of Chrome introduces new features, new APIs, and new potential attack surfaces. Skia is not the only graphics library under scrutiny—WebGPU, WebGL, and the recently added WebHID API all present similar challenges.
Google’s bug bounty program paid out $2.5 million in rewards last year, a large portion of which went to researchers discovering memory safety issues in components like Skia. The program incentivizes responsible disclosure, and to its credit, Google often patches critical bugs within days of receiving a report. For CVE-2026-11675, the timeline from report to fix was reportedly about two weeks, a turnaround that reflects the seriousness of the flaw.
Nevertheless, the platform’s sheer install base—approximately 3.2 billion users across all devices—means that even a 0.01% exposure rate translates to 320,000 potential victims. That’s why public announcements like this one matter: they drive the adoption cadence that automated updates alone cannot achieve.
From Skia Chromium to Windows Kernel: Understanding the Risk Chain
While this vulnerability is confined to the renderer, security engineers always consider escalation paths. A hypothetical attack could combine CVE-2026-11675 with a kernel‑level bug (either in Windows’ win32k drivers or in a Chrome sandbox escape) to achieve full system access. Such chained exploits have been seen before (e.g., the 2024 “Trident” exploit that used a WebGL memory leak plus a kernel pool corruption).
Windows 11’s Hypervisor‑protected Code Integrity (HVCI) and arbitrary code guard mitigations make kernel exploits harder, but they do not stop data leaks from user‑mode processes. That’s why prompt patching remains the first and best defense.
Conclusion: Patch Now, Stay Vigilant
CVE-2026-11675 is a stark reminder that even the most widely used software is not immune to classic memory‑safety bugs. Google’s rapid response is commendable, but the responsibility now falls on every user and IT administrator to apply the update. Check your Chrome version, hit that “Relaunch” button, and then return to your day—knowing you’ve just closed a hole that could have exposed your digital life.
Chrome’s security team has stated that additional hardening measures for Skia will follow in an upcoming release, possibly including more aggressive sandboxing of the graphics pipeline. Until then, keep your browser up‑to‑date and your eyes open; the next CVE is already being written.