CVE-2026-10914: Chrome ANGLE Use-After-Free RCE on Windows
A use-after-free vulnerability in ANGLE (the graphics abstraction layer used by Chrome on Windows) allows an attacker to execute code within Chrome's sandbox by tricking a user into visiting a malicious website. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction (visiting a crafted HTML page) but does not require any special privileges. Once exploited, the attacker gains the capabilities of the Chrome sandbox process, which is a significant security boundary but still constrains their access compared to the host system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10914 is a use-after-free defect (CWE-416) in ANGLE, Google's cross-platform graphics rendering engine, specifically on Windows. Use-after-free flaws occur when code attempts to access memory that has already been freed, potentially allowing an attacker to read sensitive data, corrupt memory, or execute arbitrary instructions. In this case, the vulnerability resides in graphics processing logic and can be triggered via a specially crafted HTML page served to a Chrome user. The attack surface is the web rendering pipeline, making it accessible to any website an unsuspecting user visits. The vulnerability is contained within Chrome's sandbox, which isolates the rendering process from direct system access, though sandbox escapes remain a theoretical concern in advanced attack chains.
Business impact
This vulnerability poses a direct risk to any organization whose users browse the web using affected Chrome versions on Windows. Successful exploitation could lead to malware installation within the sandbox, credential theft from browser memory, session hijacking, or lateral movement preparation if chained with additional exploits. For enterprises, the risk is amplified in remote work scenarios where users operate on corporate networks. The requirement for user interaction (visiting a website) makes this a practical attack vector; adversaries have historically embedded such exploits in drive-by download campaigns, watering-hole attacks, or spear-phishing links. The HIGH severity rating reflects both the ease of exploitation and the potential for code execution.
Affected systems
Google Chrome on Windows versions prior to 149.0.7827.53 are affected. Microsoft Windows itself is listed as a vendor/product, reflecting the Windows-specific nature of the vulnerability; however, the flaw resides in Chrome's ANGLE rendering implementation rather than the OS itself. Chrome on other platforms (macOS, Linux, Android) is not affected by this particular ANGLE use-after-free. Users should verify their Chrome version; automatic updates are the default, but corporate deployments or devices with updates disabled may remain vulnerable.
Exploitability
This vulnerability has a low barrier to exploitation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates network-based attack, low complexity, no privileges needed, but does require user interaction. An attacker needs only to host a malicious HTML page and convince or trick a user into accessing it—no advanced social engineering or zero-day exploitation techniques beyond the vulnerability itself are necessary. The use-after-free condition is deterministic enough to be reliably triggered in controlled testing, though heap spray and other memory layout techniques may be needed for reliable code execution. As of the data provided, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no evidence of active in-the-wild exploitation at the time of publication, but this does not preclude private exploitation or future abuse.
Remediation
The immediate remediation is to update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism should deliver this patch automatically within days of the user's next browser session; however, administrators managing Chrome deployments should verify patching across all endpoints. For enterprises unable to update immediately, supplementary controls include restricting access to untrusted websites via web filtering, disabling JavaScript if feasible for high-risk users, or leveraging Chrome enterprise policies to enforce rapid updates. Defense-in-depth measures such as EDR (Endpoint Detection and Response) monitoring, network segmentation, and browser isolation (running Chrome in a sandbox or virtual container) can reduce the likelihood of successful exploitation and subsequent lateral movement.
Patch guidance
Verify that Chrome has been updated to version 149.0.7827.53 or later. Users can check their version at chrome://settings/help, which will also trigger an immediate update check. In enterprise environments, administrators should use Chrome's device management console or group policy to enforce the minimum version requirement. Rollout should be prioritized for high-risk users (executives, finance, HR) and public-facing roles. Stagger deployment if necessary to catch any regressions, but aim for full deployment within 5–7 business days given the HIGH severity and ease of exploitation. No workarounds beyond patching are vendor-recommended; isolation and monitoring are supplementary only.
Detection guidance
Detecting exploitation is challenging at the network level because the attack is delivered via standard HTTPS web traffic. However, endpoint-level detection can focus on: (1) unusual child process spawning from the Chrome sandbox process (e.g., cmd.exe or powershell.exe launched by chrome.exe), (2) Chrome accessing unusual memory regions or making unexpected system calls, and (3) crashes or instability in chrome.exe preceded by visits to untrusted sites. EDR tools with behavioral analysis and memory inspection capabilities are more effective than signature-based detection. Monitor for CWE-416 indicators: heap corruption, buffer overflow crashes, or ASAN (Address Sanitizer) warnings in Chrome logs if debug builds are deployed. Correlate Chrome update status with endpoint vulnerability scans to identify systems still running versions prior to 149.0.7827.53.
Why prioritize this
This vulnerability warrants immediate prioritization because it combines a HIGH CVSS score (8.8), straightforward exploitability (network-based, no special privileges, user interaction common in normal browsing), and a large user base (Chrome is the dominant browser on Windows). The use-after-free in graphics processing is a well-understood attack surface; sandbox escapes from this class of vulnerability have been demonstrated, and advanced threat actors actively exploit similar flaws. The lack of KEV listing does not indicate low risk—it reflects the recency of the advisory and lack of observed wild exploitation, not low severity. Organizations should treat this as a critical patch requiring immediate action, especially for any user accessing sensitive data or systems via the browser.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) is justified by: (1) Network exploitability (AV:N) with low attack complexity (AC:L), making it trivial to deliver; (2) no privileges or special setup required (PR:N); (3) user interaction limited to clicking a link or visiting a website (UI:R), a routine action; and (4) high impact on confidentiality, integrity, and availability (C:H, I:H, A:H) within the sandbox scope. The sandbox boundary prevents direct OS compromise (Scope:Unchanged) but does not mitigate the risk of data theft, credential harvesting, or preparation for follow-on attacks. For enterprises, the real-world risk may be elevated if users are likely to encounter the attack vector or if the environment includes vulnerable configurations (outdated Chrome deployments, weak update policies).
Frequently asked questions
Does this vulnerability affect Chrome on macOS or Linux?
No. This is a Windows-specific vulnerability in ANGLE, Google's graphics abstraction layer. Chrome on macOS uses Metal, and Chrome on Linux uses various graphics APIs, but not ANGLE in the same manner. Check your Chrome version and OS; if you are not running Windows, this CVE does not apply to you.
What if I am already on Chrome 149.0.7827.53 or later?
You are not affected. Chrome automatically updates by default, so most users should have received this patch within days of its release. You can verify your version at chrome://settings/help. If you see a newer version available, your browser is up to date.
Can I be exploited if I just visit a website normally without clicking anything special?
The vulnerability requires visiting a crafted HTML page, but it does not require you to download a file, disable warnings, or take unusual actions. Simply landing on a malicious website (via a link in email, search result, or advertisement) could trigger the exploit. This is why browsing safety and keeping Chrome updated are critical.
Does the Chrome sandbox prevent all harm from this exploit?
The sandbox contains the initial exploit and prevents direct access to the file system and OS kernel. However, a skilled attacker could use this as one step in a multi-stage attack, potentially combining it with a sandbox escape vulnerability to gain full system access. The sandbox is a strong mitigation but not a complete guarantee of safety.
This analysis is provided for informational and defensive purposes only. All statements are based on the vendor advisory, CVSS scoring, and CWE classification as of the publication date. Actual exploit availability, active in-the-wild exploitation, and targeted campaigns are not guaranteed and may change. Organizations should verify patch availability and compatibility before deployment. No proof-of-concept code, weaponized exploit information, or instructions for malicious use are provided. SEC.co does not assume liability for decisions made based on this analysis; consult your security team and vendor advisories for your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability