CVE-2026-9910: Chrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
A memory safety bug in Google Chrome's graphics engine (ANGLE) allows an attacker to run malicious code within Chrome's sandbox by sending a specially crafted web page to a victim. The vulnerability requires user interaction—specifically visiting a malicious webpage—but no special privileges. Once triggered, an attacker could read sensitive data, modify browser state, or crash the application. This affects Chrome on Windows, macOS, and Linux.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125, CWE-787
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds memory access in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9910 is an out-of-bounds memory access vulnerability in ANGLE, Chrome's cross-platform graphics abstraction layer. The flaw stems from improper bounds checking (CWE-125) that permits out-of-bounds writes (CWE-787) when processing specially formatted HTML content. An unauthenticated remote attacker can exploit this via a crafted webpage delivered over the network. The vulnerability is contained within Chrome's sandbox, limiting direct system compromise but enabling sandbox escape techniques and information disclosure. The CVSS 3.1 score of 8.8 (High) reflects the combination of network reachability, low attack complexity, user interaction requirement, and high impact on confidentiality, integrity, and availability.
Business impact
Chrome is ubiquitous across enterprise and consumer environments. Exploitation could lead to credential theft from browser storage, exfiltration of browsing data, malware installation within the sandbox context, or lateral movement if chained with sandbox escape exploits. The requirement for user interaction (visiting a malicious page) means targeted phishing or watering-hole campaigns are the primary delivery vectors. Organizations relying on Chrome for sensitive workflows face elevated risk until patching is complete.
Affected systems
Google Chrome versions prior to 148.0.7778.216 on Windows, macOS, and Linux are vulnerable. The vulnerability affects the rendering engine on all supported platforms. Chrome's auto-update mechanism means most consumer and many enterprise users will patch automatically, but organizations with update controls or custom builds must validate patching status across their fleet.
Exploitability
Exploitation requires delivering a specially crafted HTML page to a victim and obtaining user interaction (clicking a link, visiting a site). The attack is remote and requires no authentication or special privileges. The CVSS vector (AV:N/AC:L/UI:R/S:U) reflects these conditions. The vulnerability is not known to be actively exploited in the wild (KEV status: not listed), but the technique is straightforward enough for skilled attackers. Sandbox containment mitigates full-system takeover but does not prevent data exfiltration or privilege escalation chains.
Remediation
Apply the security update to Chrome 148.0.7778.216 or later immediately. Google's automatic update system should deliver this to most users, but administrators should verify deployment in their environment. For managed deployments, push updates through your configuration management tool. No workarounds exist; patching is the only remediation. If unpatched Chrome must remain in use temporarily, restrict users' ability to visit untrusted websites.
Patch guidance
Update Google Chrome to version 148.0.7778.216 or later on all affected platforms (Windows, macOS, Linux). Verify the version by navigating to Chrome menu > About Google Chrome; the browser will display its current version and notify you if an update is available or has been applied. For enterprise deployments, use update policies (e.g., Google Admin Console, group policy, or configuration profiles) to enforce the update across your fleet. Monitor update compliance metrics to confirm successful patching within your organization's update timeline.
Detection guidance
Monitor Chrome version compliance in your fleet using endpoint management tools or browser telemetry. Endpoint Detection and Response (EDR) solutions may alert on unusual ANGLE graphics processing or sandbox escapes, though these signatures require tuning. Network-based detection is limited; the attack originates from user browsing activity. Consider tracking visits to known malicious domains via proxy or DNS logs. No patch-status verification CVE has been published; rely on your browser management reporting.
Why prioritize this
This vulnerability merits immediate attention due to its combination of high CVSS score (8.8), network reachability, low attack complexity, and the ubiquity of Chrome. While KEV status is not active and sandbox containment limits impact, the straightforward exploitation path and potential for chaining with other exploits to escape the sandbox elevate risk. Prioritize patching over other medium-severity items.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: Network-based attack vector (AV:N), no special attack complexity (AC:L), unauthenticated access (PR:N), and user interaction required (UI:R). The impact vector shows high confidentiality, integrity, and availability impact (C:H/I:H/A:H) within the scope of the Chrome process. The score does not account for sandbox containment—a mitigating factor in practice—but assumes a worst-case memory corruption exploitation path.
Frequently asked questions
Does this vulnerability allow attackers to compromise my computer completely?
The flaw is contained within Chrome's sandbox, which restricts an attacker's access to the broader system. However, the vulnerability could enable theft of data stored in Chrome (passwords, browsing history, cookies, cached credentials) or be chained with other exploits to escape the sandbox. For most users, patching immediately limits exposure to the first category of attacks.
Am I at risk if I don't click on anything?
The attack requires user interaction—specifically visiting a malicious webpage or following a link to one. If you visit a site that hosts the exploit, it triggers automatically. You don't need to download or install anything, but you must navigate to the malicious content. Avoid clicking suspicious links in emails or messages.
How quickly should I patch?
Deploy this patch within your standard critical update timeline, ideally within 1–2 weeks. Chrome's auto-update system may have already patched your browser if automatic updates are enabled. Check Chrome > About Google Chrome to verify your version is 148.0.7778.216 or later.
Is this vulnerability being actively exploited?
As of the latest update, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed active exploitation in the wild. However, the straightforward nature of memory corruption exploits means attackers may develop working exploits once patches are released. Prioritize patching to avoid being among the first targeted.
This analysis is provided for informational purposes only and does not constitute security advice or a guarantee of vulnerability impact. CVSS scores and severity assessments are derived from published sources and subject to change. Patch availability and version numbers should be verified against Google's official security advisories. Organizations should conduct their own risk assessments and test patches in non-production environments before wide deployment. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-9975HIGHChrome ANGLE Sandbox Escape – Out-of-Bounds Memory Vulnerability
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability