CVE-2026-9899: Chrome ANGLE Use-After-Free Sandbox Escape (CVSS 8.3)
A use-after-free memory defect in ANGLE (the graphics abstraction layer used by Chrome) can allow an attacker to escape Chrome's sandbox if they've already compromised the renderer process. The attack requires a specially crafted web page and user interaction, but successful exploitation could give an attacker full system access beyond Chrome's security boundaries.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9899 is a use-after-free vulnerability (CWE-416) in the ANGLE graphics library integrated into Google Chrome. The flaw exists in memory management within the renderer process; an attacker who has already achieved code execution in that sandboxed context can trigger the use-after-free to corrupt memory and potentially pivot to a sandbox escape. The vulnerability carries a CVSS 3.1 score of 8.3 (High severity) with a vector reflecting network attack surface, high complexity, user interaction requirement, and ability to compromise confidentiality, integrity, and availability. Google rates this as High chromium security severity.
Business impact
A successful exploit chain—first compromising the renderer, then escaping the sandbox—would give an attacker unrestricted access to the underlying system. This could lead to data exfiltration, malware installation, lateral movement, or supply-chain compromise if the user's system is part of a managed enterprise environment. Organizations with users who browse untrusted websites face elevated risk.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are affected. Users on older versions remain vulnerable until they upgrade. The vulnerability is specific to the ANGLE graphics library as implemented in Chrome; other Chromium-based browsers may be affected depending on their use of the same ANGLE code, though those are outside the scope of this CVE.
Exploitability
Exploitation is feasible but not trivial. An attacker must first compromise Chrome's renderer process—typically via a separate browser vulnerability or social engineering—and then use CVE-2026-9899 to break out of the sandbox. The attack requires a crafted HTML page and user interaction, making opportunistic mass exploitation less likely than targeted attacks. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities catalog, indicating no widespread active exploitation has been publicly confirmed as of the modification date.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Chrome's auto-update mechanism typically deploys patches within days; users should verify they are running the latest version via Settings > About Chrome. Enterprise environments should verify patch deployment via their device management policies.
Patch guidance
Upgrade to Google Chrome 148.0.7778.216 or any subsequent stable release. Verify the installed version in Settings > About Chrome; the browser will automatically download and apply the patch on next restart if available. Enterprise deployments should verify successful rollout through their mobile device management (MDM) or endpoint management console within one week of patch release. No interim workarounds are available; patching is the only mitigation.
Detection guidance
Monitor for unusual process behavior following Chrome renderer crashes or high memory churn, which may indicate exploitation attempts. Endpoint detection and response (EDR) tools should flag attempts to spawn system processes or access sensitive data immediately after Chrome crashes or exhibits memory corruption. However, detection is challenging because exploitation occurs within the browser's sandboxed process; focus on behavioral anomalies post-crash rather than the vulnerability itself. Web proxy logs showing delivery of crafted HTML pages to users can provide indirect signals if correlated with device incidents.
Why prioritize this
Patch this vulnerability promptly because successful exploitation enables full sandbox escape—moving from renderer-level compromise to system-level access. Although the initial renderer compromise is a prerequisite, organizations cannot assume their users will never encounter malicious content; the sandbox escape capability elevates the overall risk. The High CVSS score and Chromium security severity designation reflect this threat escalation. Prioritize patching for systems in high-value roles (developers, analysts, administrators) and endpoints in sensitive network segments.
Risk score, explained
The CVSS 8.3 (High) score reflects: (1) network attack surface (AV:N) via crafted web content, (2) high attack complexity (AC:H) due to the need for prior renderer compromise and specific trigger conditions, (3) no privileges required from the attacker once renderer access is gained (PR:N), (4) user interaction needed (UI:R) to visit the malicious page, and (5) changed security scope (S:C) with high impact on confidentiality, integrity, and availability. The score appropriately weights the severity of sandbox escape against the relative difficulty of exploitation.
Frequently asked questions
Do I need to worry about this if I'm already using Chrome's security features like Safe Browsing?
Safe Browsing helps block known malicious sites, but it cannot detect every exploit page. This vulnerability still requires an initial renderer compromise, which Safe Browsing may not catch. Keep your Chrome version up to date as the primary defense; Safe Browsing is a useful additional layer, not a replacement for patching.
What is ANGLE and why does a graphics library vulnerability matter?
ANGLE is the abstraction layer Chrome uses to translate web graphics calls to the operating system's graphics APIs. Vulnerabilities in graphics libraries are significant because they run with high privileges and process untrusted content (web pages) continuously. A flaw here can affect memory safety across the entire renderer.
Could this affect other Chromium-based browsers?
Possibly, if they use the same version of ANGLE. However, this CVE is specific to Chrome; vendors of Edge, Brave, Opera, or other Chromium variants would publish their own advisories if affected. Check your browser vendor's security page for their response.
Is there an exploit in the wild?
No; CVE-2026-9899 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no public or active exploitation has been confirmed. However, the vulnerability is valuable to sophisticated attackers, so patching promptly is prudent rather than waiting for proof-of-concept code to surface.
This analysis is based on official CVE records and vendor advisories published through June 17, 2026. CVSS scores, patch versions, and KEV status reflect data current as of the modification date; verify patch version numbers and deployment guidance against Google's official Chrome release notes before deployment. No exploit code or weaponized proof-of-concept information is provided. This intelligence is intended for authorized security professionals and should not be used to develop or distribute malicious tools. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment