HIGH 7.5

CVE-2026-9901: Use-After-Free in Chrome ANGLE Graphics Library (CVSS 7.5)

A use-after-free flaw in ANGLE (the graphics abstraction layer used by Chrome) allows an attacker to run malicious code on a target's machine. The attack requires two conditions: the attacker must first compromise Chrome's renderer process (the component that draws web content), and the victim must then visit a specially crafted web page. Once both conditions are met, arbitrary code can execute with the privileges of the compromised renderer process. This affects Chrome versions before 148.0.7778.216.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9901 is a use-after-free vulnerability (CWE-416) in the ANGLE graphics library within Google Chrome. The flaw exists in memory management within ANGLE's rendering pipeline, allowing an attacker who has already gained control of the renderer process to trigger a memory access after the object has been freed. By crafting a malicious HTML page with specific WebGL or graphics API calls, an attacker can cause the freed memory to be used in an unsafe manner, leading to arbitrary code execution. The CVSS 3.1 score of 7.5 (High) reflects the requirement for initial renderer compromise and user interaction, but acknowledges the high-impact consequences if exploited.

Business impact

The primary business risk is multi-stage compromise. While a use-after-free in isolation requires the renderer to already be compromised, it significantly elevates the damage from any prior renderer exploit. An attacker with renderer-level access gains a reliable path to system-level code execution, potentially enabling lateral movement, data exfiltration, malware installation, or denial of service. For organizations where Chrome is a primary browsing platform, this increases the cost of a breach because it removes a containment boundary. Users of Chrome on Windows, macOS, and Linux systems running versions prior to 148.0.7778.216 are at risk.

Affected systems

Google Chrome prior to version 148.0.7778.216 is vulnerable. The vulnerability affects Chrome running on Windows, macOS, and Linux environments. No other products are inherently vulnerable, though the underlying graphics abstraction principles may be relevant to other Chromium-based browsers that bundle ANGLE. Users should verify their Chrome version by navigating to chrome://help, which will auto-update the browser and display the current version.

Exploitability

Exploitability is currently low in the wild because the attack chain is complex: an attacker must first compromise the renderer process through a separate vulnerability or social engineering, and then must craft a malicious webpage that the victim visits. The vulnerability itself (use-after-free) is a common memory safety bug, and ANGLE's graphics API is well-known, making weaponization technically feasible for skilled attackers. However, the requirement for initial renderer compromise and user interaction substantially raises the barrier to entry. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread exploitation has been documented to date.

Remediation

The definitive fix is to update Google Chrome to version 148.0.7778.216 or later. Chrome's auto-update mechanism typically deploys patches automatically within hours of release, though enterprise deployments may have update policies that delay installation. Verify your current version at chrome://help. For organizations with managed Chrome deployments, confirm that update policies are set to install this patch promptly. As a supplementary control, restrict user ability to navigate to untrusted websites and reinforce security awareness training about phishing and social engineering, since initial renderer compromise is a prerequisite for this exploit.

Patch guidance

Update Chrome to version 148.0.7778.216 or newer. On Windows and macOS, Chrome will typically auto-update; check chrome://help to force an update check and confirm the new version is installed. On Linux, use your distribution's package manager or rebuild Chrome from source if you maintain a custom build. Enterprise administrators should verify that security update policies are applied and validate that systems are actually running the patched version within 48 hours of availability. Test critical web applications in the updated environment before rolling out broadly, particularly those with dependencies on WebGL or GPU acceleration, to rule out compatibility issues.

Detection guidance

Detection is challenging because the vulnerability resides deep in graphics memory management and requires monitoring browser process behavior. Organizations with endpoint detection and response (EDR) tools should enable memory-protection monitoring on Chrome processes and watch for anomalous memory access patterns or privilege escalation attempts following Chrome renderer process activity. Log Chrome version and update timestamps from asset management systems to confirm patched versions are deployed. Review browser security logs for signs of prior renderer compromise (crashes, unusual plugin loading, suspicious network activity from the browser). Web application firewalls can be configured to block requests known to trigger similar use-after-free patterns in ANGLE, though signatures must be carefully tuned to avoid false positives.

Why prioritize this

This vulnerability merits prompt patching because it is a high-severity flaw in a ubiquitous application (Chrome), affects all major operating systems, and provides a reliable mechanism for privilege escalation once the renderer is compromised. Although it is not currently exploited in the wild (KEV=false), the combination of memory safety bugs in graphics libraries and the widespread presence of Chrome in enterprise and consumer environments creates significant long-term risk. Patch within 2 weeks for most organizations; 48 hours for environments where Chrome is used to access highly sensitive data or where prior renderer vulnerabilities are a known concern.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network vector (AV:N) because the attacker delivers the malicious page over HTTP/HTTPS; (2) High complexity (AC:H) because initial renderer compromise is required; (3) No privileges required (PR:N) for the use-after-free itself, though compromised renderer context is assumed; (4) User interaction required (UI:R) because the victim must navigate to the malicious page; (5) Unchanged scope (S:U) within the browser process; (6) High impact on confidentiality, integrity, and availability (C:H/I:H/A:H) because arbitrary code execution in renderer context can read memory, modify content, and crash the browser. The score appropriately penalizes the multi-stage requirement while recognizing the severe consequences if both stages succeed.

Frequently asked questions

Do I need to be targeted specifically for this vulnerability to affect me?

Not exactly. The vulnerability requires two conditions: (1) your Chrome renderer process is already compromised via a separate exploit or social engineering, and (2) you visit a malicious webpage. You don't need to be individually targeted, but you do need to encounter the attacker's webpage. This is why keeping Chrome updated and practicing safe browsing habits are both important.

Is this vulnerability actively being exploited?

No. As of the latest CISA KEV catalog review, this vulnerability is not listed as known to be exploited in the wild. However, this does not mean exploitation will never occur. The vulnerability is real and can be weaponized by sophisticated attackers, so patching promptly remains the right approach rather than waiting for active exploitation to occur.

What is ANGLE and why does it matter?

ANGLE is a cross-platform graphics abstraction layer that allows Chrome to access hardware-accelerated rendering (GPU) on Windows, macOS, and Linux. It translates WebGL and other graphics API calls into platform-specific DirectX, Metal, or Vulkan commands. A flaw in ANGLE affects all web pages that use GPU-accelerated graphics, making it a high-value target for attackers.

If I update Chrome, will my browser settings and saved passwords be preserved?

Yes. Chrome updates are transparent to users; your bookmarks, passwords, settings, and extensions will remain intact. The update simply patches the underlying binary and restarts the browser process. Auto-update may prompt you to restart the browser, but no manual action is typically required.

This analysis is based on publicly available information as of 2026-06-17. CVSS scores and technical details are derived from official Chromium and NVD sources. Patch availability and version numbers should be verified directly with Google's official Chrome release notes and security advisories before deployment. The absence of a vulnerability from the CISA KEV catalog does not guarantee the absence of exploitation in private or targeted campaigns. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. SEC.co does not provide legal advice and recommends consultation with your security and compliance teams regarding remediation timelines and policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).