MEDIUM 4.3

CVE-2026-9913: Out-of-Bounds Read in Chrome ANGLE Graphics Library

A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9913 is a CWE-125 out-of-bounds read vulnerability in ANGLE (Almost Native Graphics Layer Engine), Google's WebGL implementation used in Chrome. The 'inappropriate implementation' in ANGLE's graphics handling allows crafted HTML to trigger memory access beyond allocated buffer boundaries. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicates network accessibility, low complexity, no privilege requirement, and user interaction dependency, with low confidentiality impact and no integrity or availability impact. Google assigned Chromium security severity 'High,' reflecting the read-access nature and graphics context.

Business impact

This vulnerability poses a confidentiality risk if exploited to leak sensitive data from browser memory. Organizations where users visit untrusted or compromised websites face exposure of cached credentials, session tokens, or other in-memory secrets. The impact is generally contained because exploitation requires social engineering (user must visit the malicious site), and there is no remote code execution or denial-of-service. However, environments with high-risk browsing (research, open-source development, public-facing roles) warrant faster remediation.

Affected systems

Google Chrome versions prior to 148.0.7778.216 are affected. This includes all stable, beta, and development builds released before the patch date. Chrome on all platforms (Windows, macOS, Linux, Android, iOS) is in scope. Other Chromium-based browsers may also be affected depending on their ANGLE integration and patch status; verify with vendors such as Microsoft Edge, Brave, or Vivaldi for their own remediation timelines.

Exploitability

The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild is not confirmed as of publication. However, out-of-bounds reads in graphics drivers are well-understood attack vectors, and a motivated attacker with web development skills could craft a proof-of-concept. The requirement for user interaction (visiting a link) raises the bar compared to zero-click exploits but remains practical for phishing or drive-by compromise scenarios. No public exploit code is known to exist at this time.

Remediation

Apply Chrome update 148.0.7778.216 or later at your earliest convenience. Users can enable automatic updates in Chrome settings (Settings > About > Google Chrome) to receive the patch automatically. Organizations should verify rollout through MDM solutions if managing Chrome deployments. Verify that third-party Chromium-based browsers have also released patches before relying on them as alternatives.

Patch guidance

Google Chrome users and administrators should update to version 148.0.7778.216 or later. Auto-update is enabled by default but may be delayed; forcing a manual check via Settings > About accelerates deployment. For macOS users, note that Intel and Apple Silicon versions are released separately; both require the same version bump. Android and iOS users should ensure they are running the latest Chrome from their respective app stores. In enterprise environments, use Chrome update policies to enforce version compliance; document patch application dates for compliance records.

Detection guidance

Monitor Chrome version strings in user-agent logs and endpoint management consoles to ensure all instances are at 148.0.7778.216 or higher. Web proxies or network monitoring can flag older Chrome versions based on User-Agent headers, though spoofing is possible. Endpoint Detection and Response (EDR) tools should flag abnormal memory access patterns if the vulnerability is exploited, though detection post-compromise is difficult for read-only leaks. Network-based detection of crafted HTML payloads targeting this specific flaw is challenging without known indicators; rely on keeping systems patched and monitoring for suspicious user activities following site visits.

Why prioritize this

While the CVSS score of 4.3 is considered medium severity, the context warrants prioritized attention: ANGLE vulnerabilities have historically been leveraged in targeted attacks, graphics processing is a popular sandbox-escape vector, and the low exploitation complexity makes it a logical stepping stone in multi-stage attacks. Organizations with high-risk user populations (journalists, researchers, targeted sectors) should patch within 1–2 weeks. Lower-risk environments may extend to 4 weeks, provided auto-update is verified.

Risk score, explained

The CVSS 4.3 reflects the balance of a network-reachable flaw with user interaction requirement and limited impact scope (confidentiality only, no integrity or availability damage). Google's 'High' severity rating emphasizes the Chromium project's internal risk model, which weights graphics memory leaks heavily due to their role in sandbox breaks and information disclosure chains. The score is not inflated by 0-day status; as a patched vulnerability, risk is now a function of patch adoption lag.

Frequently asked questions

Can this vulnerability be exploited without the user clicking a link?

No. The attacker must trick or convince the user to visit a crafted website. There is no known way to trigger this flaw via email attachment, network proximity, or other passive means. However, watering-hole attacks or compromised legitimate websites could serve the malicious HTML to unsuspecting users.

Will updating Chrome to 148.0.7778.216 break my extensions or websites?

No. Chrome updates, especially security patches, are designed to maintain backward compatibility. Extensions and websites should continue to work normally. If you experience issues after updating, they are likely unrelated to this patch; check the Chrome release notes or contact your IT support.

Does this vulnerability affect Chrome on mobile (Android, iOS)?

Yes. Both Android and iOS versions of Chrome prior to 148.0.7778.216 are vulnerable. Mobile users should update via the Google Play Store (Android) or App Store (iOS). Verify that automatic app updates are enabled to receive patches promptly.

If we're not using Chrome, are we affected?

Not directly from this CVE. However, other Chromium-based browsers (Edge, Brave, Vivaldi, etc.) may include the same vulnerable ANGLE code. Check your browser vendor's security advisories and apply their equivalent patch. Non-Chromium browsers (Firefox, Safari) do not use ANGLE and are not affected by this specific flaw.

This analysis is provided for informational purposes and based on publicly available vendor data as of the publication date. No guarantee is made regarding the completeness or timeliness of information. Organizations should independently verify patch applicability, version numbers, and deployment timelines with official vendor advisories. SEC.co assumes no liability for decisions made based on this content. Always consult your security team and test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).