CVE-2026-9879: Critical Out-of-Bounds Write in Chrome ANGLE Graphics Engine
A memory safety bug in Chrome's graphics rendering engine (ANGLE) allows attackers to write data outside of allocated memory boundaries. An attacker can craft a malicious HTML page that, when opened in vulnerable versions of Chrome, triggers this out-of-bounds write to execute arbitrary code on the user's system. The vulnerability requires user interaction—specifically, the victim must visit or be directed to the malicious webpage—but no special privileges are needed and the attack works over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9879 is an out-of-bounds write vulnerability in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer used by Chromium-based browsers. The flaw resides in memory management during graphics operations, allowing an attacker to write beyond the boundaries of an allocated buffer. This memory corruption can be leveraged to achieve remote code execution when a user visits a crafted HTML page. The vulnerability affects Chrome versions prior to 148.0.7778.216 and is classified as Critical by the Chromium security team, with a CVSS 3.1 score of 8.8 (High severity) due to its network-based attack vector, low complexity, lack of required privileges, and ability to compromise confidentiality, integrity, and availability.
Business impact
Exploitation of this vulnerability poses a direct risk to any organization where users browse the web with vulnerable Chrome versions. Successful attacks could lead to unauthorized code execution on employee workstations, enabling theft of sensitive data, installation of malware, lateral network movement, or system compromise. The barrier to exploitation is low—users need only visit a malicious site, making watering-hole attacks and targeted phishing campaigns viable delivery mechanisms. For organizations managing large Chrome deployments, delayed patching creates a window of exposure during which targeted or mass exploitation is feasible.
Affected systems
The vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 148.0.7778.216. While the underlying ANGLE library is cross-platform, the practical exposure depends on Chrome deployment scope within your environment. Secondary operating systems (Windows, macOS, Linux kernel) are listed as affected because they host the vulnerable browser, not because the flaw is in the OS itself.
Exploitability
Exploitability is high. The attack requires only network access and user interaction—the victim must visit a malicious webpage. No authentication, elevated privileges, or local access is necessary. The straightforward attack surface (arbitrary HTML) and the critical nature of the underlying flaw make this a likely target for active exploitation. Exploit toolkits and proof-of-concept code typically emerge quickly for graphics engine vulnerabilities, as they are well-studied by security researchers.
Remediation
Organizations should prioritize patching Chrome to version 148.0.7778.216 or later across all user systems. For managed environments, enforce automatic updates or use group policies to enforce minimum Chrome versions. Users should manually update Chrome immediately via Settings > About Google Chrome if automatic updates are not configured. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last data update, but that does not indicate low risk—it reflects the recency of disclosure and the time lag in KEV reporting.
Patch guidance
Chrome 148.0.7778.216 and all subsequent versions contain the fix. Verify the exact patch version against Google's official Chrome release notes to confirm the fix applies to your deployment model (Stable, Extended Stable, or channel-specific builds). In managed environments, test the patch in a staging environment before rolling out to production users. For organizations using legacy or extended-support Chrome versions, consult Google's update timeline; some users may be on Extended Stable Channel, which has different release cadences.
Detection guidance
Monitor browser version strings in logs and endpoint telemetry to identify systems still running Chrome versions prior to 148.0.7778.216. Implement alerts on User-Agent headers in web proxies or network logs to flag outdated Chrome instances attempting connections. Endpoint Detection and Response (EDR) tools should monitor for suspicious process execution or memory corruption patterns following Chrome renderer process activity, though such signals are often subtle in memory-safety exploits. Network-based indicators are limited; prioritize version inventory and patching velocity tracking as primary detection mechanisms.
Why prioritize this
This vulnerability merits immediate remediation despite not yet appearing in the KEV catalog. The combination of network-based attack vector, low user interaction friction, remote code execution impact, and high CVSS score (8.8) makes it an attractive target for both targeted and opportunistic campaigns. The graphics engine is a high-value target due to its complexity and historical prevalence of memory-safety flaws. Delayed patching should be treated as elevated risk, especially in environments exposed to untrusted web content or where users frequently visit external websites.
Risk score, explained
The CVSS 3.1 score of 8.8 (High) reflects: network-based attack vector (AV:N) eliminating the need for local access; low attack complexity (AC:L) requiring no special conditions or user sophistication; no privilege requirements (PR:N); and user interaction necessary only to visit a page (UI:R), a low bar in real-world web browsing. The score captures three full impact categories—confidentiality, integrity, and availability (C:H/I:H/A:H)—because successful exploitation enables arbitrary code execution with no sandboxing bypasses required beyond the initial memory corruption. The score appropriately reflects the severity of remote code execution via a common attack surface.
Frequently asked questions
Is this vulnerability actively exploited in the wild?
As of the vulnerability's publication date (2026-05-28), the CVE is not listed on the CISA KEV catalog, which typically reflects known active exploitation. However, the absence from KEV does not indicate safety; it reflects reporting lag and the time required for exploitation in the wild to be verified and added to the catalog. Given the critical Chromium severity rating and the accessibility of the attack vector, organizations should assume exploitation is possible and patch accordingly.
Do I need to patch Chrome on every user device, or only those exposed to untrusted web content?
You should patch all Chrome instances running vulnerable versions. While users in highly restricted browsing environments may have lower immediate risk, memory-safety vulnerabilities in graphics engines are often chained with other flaws or exploited opportunistically. The cost of patching (low) far outweighs the risk of maintaining a vulnerable install base, and the technical bar for attackers to craft malicious content is low.
Can I disable graphics acceleration to mitigate this while waiting to patch?
Disabling GPU acceleration in Chrome settings may reduce (but not eliminate) the practical risk, as it bypasses some rendering paths. However, this is a workaround, not a mitigation, and may impact performance or user experience. Patching remains the only reliable remediation. If you must delay patching for operational reasons, disabling GPU acceleration and restricting web access to trusted sites are temporary risk-reduction steps, but should not replace a patch plan.
What's the difference between the CVSS score and the Chromium security severity rating?
The CVSS score (8.8, High) is a standardized, quantitative measure of vulnerability severity. Chromium's internal severity rating (Critical) reflects the Chromium project's assessment of the flaw's impact within their product and development context. Both indicate high priority, but Chromium's "Critical" label is their direct recommendation for urgency. In this case, both signals align: patch immediately.
This analysis is based on vulnerability data current as of the publication and modification dates provided (2026-05-28 to 2026-06-17) and reflects publicly available information from CVE and Chromium sources. Patch version numbers should be verified against Google's official Chrome release notes before deployment. The absence of a vulnerability from the CISA KEV catalog does not indicate low risk or low likelihood of exploitation. Organizations should assume that sophisticated attackers have access to or are developing exploits for memory-safety flaws in widely deployed software. This analysis does not constitute a comprehensive risk assessment for your specific environment; consult your organization's threat modeling and patch management policies before prioritization decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-9896HIGHChrome V8 Out-of-Bounds Write RCE – Patch to 148.0.7778.216
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
- CVE-2026-9965HIGHCritical Out-of-Bounds Write in Chrome ANGLE Graphics Library
- CVE-2026-9973HIGHChrome V8 Out-of-Bounds Write Remote Code Execution (CVSS 8.8)