HIGH 8.8

CVE-2026-10913: Critical Chrome ANGLE Use-After-Free RCE on Windows

A use-after-free vulnerability exists in the ANGLE graphics library component of Google Chrome on Windows. An attacker can craft a malicious HTML page that, when visited by a user, triggers memory corruption within Chrome's sandbox environment. While the sandbox limits direct system compromise, successful exploitation allows arbitrary code execution within that sandboxed context, potentially leading to data theft, credential capture, or lateral movement attempts. The vulnerability requires user interaction (visiting a malicious page) but no special privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10913 is a use-after-free flaw (CWE-416) in ANGLE, Chrome's abstraction layer for graphics APIs on Windows. When processing specially crafted HTML, the vulnerability allows an attacker to reference memory that has already been freed, leading to controlled memory corruption and code execution within the Chrome sandbox. The CVSS 3.1 score of 8.8 (High) reflects the high confidentiality, integrity, and availability impact, combined with network-based attack surface and low attack complexity. Chrome's sandbox architecture mitigates full system compromise, but the high score reflects the real risk of in-process exploitation.

Business impact

Organizations where employees browse untrusted content face significant risk. Successful exploitation could result in theft of session cookies, authentication tokens, stored passwords, or sensitive documents accessed through the browser. Attackers may also use compromised browser processes as a foothold for further reconnaissance or lateral movement within corporate networks. For organizations relying on Chrome as a primary browser, this vulnerability represents an active threat during the window between public disclosure and user patching.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on Windows systems are vulnerable. The Windows dependency is significant: the vulnerability is specific to Chrome's Windows-based ANGLE implementation and does not affect Chrome on macOS, Linux, or mobile platforms. Both consumer and enterprise deployments of Chrome on Windows require patching. No other vendors or products are directly affected by this ANGLE flaw.

Exploitability

Exploitation requires a user to visit a crafted webpage—a common attack vector via malicious advertisements, compromised websites, or phishing. No authentication is required, and the barrier to entry is low for attackers with basic web exploit knowledge. However, the ANGLE vulnerability is not trivial to trigger reliably; it requires precise memory manipulation. As of the modification date (2026-06-17), this vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been confirmed by government sources, though public disclosure increases attack likelihood.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome's auto-update mechanism typically delivers patches within days of release, but verify that your deployment has updated by checking chrome://version or system policy enforcement. For enterprises managing Chrome via policy, deploy the update through your patch management workflow and confirm rollout across endpoints. No workarounds exist; patching is the only mitigation.

Patch guidance

Verify Chrome is updated to 149.0.7827.53 or later by navigating to chrome://about, which will display the current version and indicate if updates are available or pending restart. For Windows domain environments, use Group Policy or your MDM solution to enforce automatic updates or push the latest version. If using Chrome offline installers, download version 149.0.7827.53 or newer from Google's official release channels. Test the patch in a non-production environment first if your organization has strict change control policies. Prioritize patching systems where users regularly visit external websites or receive emails with links.

Detection guidance

Monitor for Chrome crash dumps or suspicious renderer process activity on Windows endpoints, particularly correlating with user browsing to unknown or suspicious domains. Endpoint Detection and Response (EDR) tools should flag attempts to execute code from unusual memory regions within Chrome processes. Web proxy logs may reveal patterns of users visiting sites hosting exploit kits targeting ANGLE. Monitor for unusual child processes spawned from Chrome or unexpected network connections initiated by Chrome's sandbox processes. Correlate browser telemetry (if available) with security alerts to identify targeted users.

Why prioritize this

This vulnerability merits high priority due to its network-based attack surface, low complexity, and high impact. While the Chrome sandbox provides some containment, the ability to execute arbitrary code within a user's browser session is a serious threat. The lack of KEV confirmation does not diminish urgency; confirmed zero-days in graphics libraries are often targeted by sophisticated threat actors. Organizations should treat this as critical for patch management queues, especially if users access untrusted content or if your threat model includes advanced adversaries.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: (1) Network attack vector—no physical access or VPN required, just a malicious webpage; (2) Low attack complexity—a crafted HTML page is sufficient; (3) No privilege escalation required; (4) User interaction necessary but common (clicking a link or viewing a page); (5) Scoped to a single user's browser process (Chrome sandbox) but with high confidentiality, integrity, and availability impact within that scope. The sandbox boundary prevents OS-level compromise but does not reduce the score because code execution within a user's trusted application context is inherently high-risk.

Frequently asked questions

Does Chrome's sandbox prevent this attack from affecting my system?

The sandbox limits the blast radius—an attacker cannot directly access the operating system, kernel, or other processes. However, they can steal data visible to the user (emails, passwords, browsing history, documents), exfiltrate authentication tokens, or use the compromised browser as a stepping stone for further attacks. The sandbox is a containment layer, not a prevention layer for this vulnerability.

I use Chrome on macOS or Linux. Am I affected?

No. This vulnerability is specific to Chrome's Windows implementation of ANGLE. Chrome on macOS, Linux, and mobile platforms uses different graphics APIs (Metal, Vulkan, etc.) and are not vulnerable to this particular flaw. However, you should still keep Chrome updated for other potential vulnerabilities.

What if my organization has auto-updates disabled?

You must manually deploy Chrome version 149.0.7827.53 or later through your patch management system or by direct installer deployment. Check chrome://version on each endpoint to confirm the update was applied. If auto-updates are disabled by policy, coordinate with your IT/security team to prioritize this patch or temporarily enable updates for Chrome.

How can I tell if someone exploited this vulnerability against me?

Direct detection is difficult without advanced forensics. Monitor for Chrome crashes, unexpected spawned processes, or unusual network connections from Chrome. If you suspect compromise, check browser history for unexpected pages, review saved passwords, and consider credential resets. Enable additional browser telemetry logging if your organization supports it, and consult your EDR or SIEM logs for behavioral anomalies on the affected date range.

This analysis is based on publicly available information and the CVE record as of 2026-06-17. Patch version numbers, CVSS scores, and CWE classifications are derived from the official CVE and vendor sources. Readers should verify patch applicability in their specific environment and consult Google's official Chrome security advisories for the most current information. No exploit code or weaponizable proof-of-concept details are provided. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends independent validation before making security decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).