CVE-2026-10907: Chrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
A memory safety vulnerability in Google Chrome's ANGLE rendering library allows an attacker to craft a malicious webpage that, when visited by a user, could corrupt the browser's memory heap. This out-of-bounds write flaw can lead to code execution with the privileges of the user running Chrome. The vulnerability requires user interaction—someone must visit the compromised or attacker-controlled page—but needs no special browser configuration or user permissions to trigger the exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Out of bounds write in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10907 is an out-of-bounds write vulnerability (CWE-787) in ANGLE, the graphics abstraction layer used by Chrome to translate graphics API calls to platform-specific renderers. A remote attacker can construct a crafted HTML page that causes Chrome to write data beyond the allocated bounds of a heap buffer. This memory corruption can overwrite adjacent heap structures, leading to information disclosure, memory corruption, or arbitrary code execution. The vulnerability affects Chrome versions prior to 149.0.7827.53 across multiple platforms (Windows, macOS, Linux). ANGLE is widely used, making this a systemic risk to Chrome-based browsers on all supported operating systems.
Business impact
Organizations and end-users relying on Chrome face immediate risk of browser compromise through drive-by attacks—users need only visit a malicious or compromised website. Successful exploitation could allow attackers to steal sensitive data (authentication credentials, personal information, intellectual property), install malware, or pivot to internal networks if the browser is used to access corporate resources. For enterprises, this translates to potential data exfiltration, credential theft, and lateral movement vectors. The attack surface is broad because it requires only a crafted HTML page and user interaction, making targeted and mass-scale campaigns feasible.
Affected systems
Google Chrome versions prior to 149.0.7827.53 running on Windows, macOS, and Linux are directly affected. Because ANGLE is the graphics layer abstraction in Chrome and Chromium-based browsers, other browsers built on Chromium (such as Edge, Brave, Opera, and others) may also be vulnerable if they use vulnerable versions of the Chromium codebase. End-users and organizations using Chrome or Chromium derivatives on any of the listed platforms should treat this as a critical update priority.
Exploitability
This vulnerability carries a high exploitability profile. The attack requires only network access and user interaction (the user must navigate to or open a page containing the exploit). No authentication, elevated privileges, or special browser configuration is needed. The crafted HTML page is the only attack vector required. While the vulnerability is not currently in the CISA Known Exploited Vulnerabilities (KEV) catalog, the low barrier to exploitation and high impact potential mean active exploitation is likely once public proof-of-concept code emerges. Attackers can distribute the exploit via phishing, compromised websites, malvertising, or watering-hole attacks.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Users should enable automatic updates to ensure timely patching. For enterprises managing Chrome deployments, verify Chrome is configured to auto-update or deploy version 149.0.7827.53 or later through your deployment tool. Validate that Chromium-based alternatives (Edge, Brave, etc.) have also received their corresponding patches, as they may use vulnerable Chromium code. Monitor for any indicators that users have visited malicious pages before the patch was applied.
Patch guidance
Google released Chrome 149.0.7827.53 addressing this vulnerability. Users should immediately check their Chrome version (Menu > Help > About Google Chrome) and allow the update to complete and restart the browser. For Windows, macOS, and Linux deployments: verify auto-update is enabled, or manually trigger an update check. Enterprise administrators using mobile device management (MDM) or endpoint tools should push Chrome 149.0.7827.53 or later to all managed devices. Verify patch deployment and browser version post-update. If users are running Chromium forks (Edge, Brave, etc.), verify those vendors have released patched versions and deploy those as well.
Detection guidance
Post-patch, monitor for signs of compromise: check for unusual browser processes, unexpected child processes spawned from the browser, or anomalous memory usage patterns. Review web proxy logs for visits to known malicious domains or attacker infrastructure related to this exploit. Monitor endpoint detection and response (EDR) solutions for process injection, code execution, or credential theft post-compromise. If Chrome users accessed untrusted content before the patch, review for credential compromise, unauthorized data access, or lateral movement attempts. Browsers with auto-update enabled and verified current patches should be at lower risk; prioritize checking devices that were offline or had auto-update disabled during the vulnerability window.
Why prioritize this
This vulnerability merits immediate patching (within 24-48 hours for most organizations). The combination of high CVSS score (8.8), low attack complexity, low barrier to exploitation, broad user population, and potential for code execution and data exfiltration creates urgent risk. While not yet in CISA's KEV catalog, the public disclosure and ease of exploitation mean weaponized proof-of-concept code is likely imminent. Browser compromise enables lateral movement and credential theft, amplifying enterprise risk. The patch is non-disruptive and auto-deployable, eliminating deployment friction as an excuse for delay.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: attack vector network (AV:N)—attacker needs only an internet connection; attack complexity low (AC:L)—no special conditions required; privilege required none (PR:N)—no prior access needed; user interaction required (UI:R)—user must visit a page; scope unchanged (S:U)—no privilege escalation beyond the browser context; confidentiality, integrity, and availability all high (C:H/I:H/A:H)—successful exploitation allows data theft, code execution, and denial of service. This score appropriately reflects the real-world danger of a remote code execution vulnerability in a ubiquitous application requiring only drive-by access.
Frequently asked questions
Does this vulnerability require JavaScript to be enabled?
The vulnerability exists in ANGLE's graphics rendering layer, which processes WebGL and other GPU-accelerated content. While a crafted HTML page could trigger it, the exact preconditions (whether JavaScript is required, or if WebGL-based rendering alone suffices) depend on the specific exploit. To be safe, assume the vulnerability can be triggered through normal web browsing. Disabling JavaScript does not eliminate risk from WebGL-based attacks.
Is the vulnerability exploited in the wild today?
As of the last update, CVE-2026-10907 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed widespread active exploitation. However, this does not mean exploits do not exist in closed threat actor communities. Given the public disclosure and ease of exploitation, assume weaponized code will emerge rapidly. Organizations should treat this as high-priority and patch immediately rather than waiting to see if active exploitation appears in public threat feeds.
Do other browsers based on Chromium face the same risk?
Yes. Browsers built on Chromium (Microsoft Edge, Brave, Opera, and others) that use vulnerable versions of the ANGLE library are at risk. Check your browser vendor's security advisories and patch accordingly. Do not assume only Chrome users are affected. Verify that enterprise browsers have all received corresponding patches before considering the vulnerability mitigated organization-wide.
What should I do if users visited untrusted sites before the patch was applied?
Review logs for suspicious access, credential compromise, or lateral movement during and after the exposure window. Consider resetting credentials for users who may have been compromised, running EDR scans for signs of malware installation, and reviewing network traffic for data exfiltration. If sensitive data was accessible to the compromised user (e.g., API keys, customer databases), assume breach and investigate accordingly. Patch first to prevent new compromises, then investigate existing risk.
This analysis is based on publicly available vulnerability data as of the published and modified dates listed. Patch version numbers and CVSS scores are sourced from official vendor advisories and the National Vulnerability Database. Organizations should verify patch applicability against their specific Chrome versions and Chromium-based browser deployments before proceeding. This document does not constitute legal, compliance, or comprehensive risk advice; consult your security team and relevant organizational policies. Exploitation techniques and proof-of-concept code are not provided herein. For the most current patch status and vendor guidance, consult Google's official Chrome security updates and advisories for Chromium-based browser vendors. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)