HIGH 8.3

CVE-2026-9924: Chrome ANGLE Heap Buffer Overflow & Sandbox Escape on Windows

A flaw in the ANGLE graphics library (which Chrome uses to render graphics on Windows) can cause memory corruption when processing specially crafted web content. An attacker who has already compromised Chrome's sandboxed renderer process could exploit this to escape the sandbox and gain full system access. The vulnerability requires user interaction—the victim must open a malicious webpage—but once the renderer is compromised, the attacker has a path to execute code outside the sandbox.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9924 is a heap buffer overflow in ANGLE, Google's graphics translation layer used by Chrome on Windows. The flaw exists in versions prior to 148.0.7778.216. When the renderer process encounters a malicious HTML page, out-of-bounds memory writes can occur in heap-allocated buffers. While the vulnerability itself requires the renderer process to be compromised first, it enables privilege escalation from the sandboxed renderer context to the full browser process or system level. The attack chain is: user visits malicious page → renderer exploit → heap overflow in ANGLE → sandbox escape.

Business impact

Organizations with Windows environments where Chrome is used—particularly those running older versions—face risk of complete system compromise if users are tricked into visiting attacker-controlled sites. This is especially concerning for environments that rely on Chrome's sandbox as a security boundary against drive-by downloads or malicious advertising networks. A successful exploit could lead to data theft, lateral movement, malware installation, or ransomware deployment.

Affected systems

Google Chrome versions prior to 148.0.7778.216 on Microsoft Windows are vulnerable. The flaw does not affect Chrome on macOS, Linux, or Android, nor does it affect other Chromium-based browsers unless they use vulnerable versions of the ANGLE library. Verify your Chrome version via Chrome menu > Help > About Google Chrome (auto-update will show the installed version).

Exploitability

Practical exploitation requires two conditions: first, an attacker must achieve code execution in Chrome's renderer process (via a separate renderer exploit, typically a web-based vulnerability), and second, the renderer must process a crafted HTML page that triggers the heap overflow. The requirement for prior renderer compromise and user interaction (visiting a malicious page) reduces opportunistic mass-exploitation, but in targeted scenarios or alongside other Chrome vulnerabilities, the risk is material. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities catalog as of the available data.

Remediation

Update Google Chrome to version 148.0.7778.216 or later on all Windows systems. Chrome's auto-update mechanism typically deploys patches within days, but verify completion via Chrome menu > Help > About Google Chrome. For managed environments, enforce Chrome updates via group policy (Windows) or your mobile device management platform. Until patched, avoid visiting untrusted websites or clicking suspicious links that could deliver renderer exploits.

Patch guidance

Google released the patch in Chrome version 148.0.7778.216. This version is available through the standard Chrome auto-update channel. Organizations should verify successful deployment across their Windows fleet. If you use Chrome extensions that disable auto-update or operate in offline environments, manually download the patched version from google.com/chrome. No workarounds exist for unpatched versions; patching is the only remediation.

Detection guidance

Monitor for Chrome process crashes or anomalous behavior (e.g., renderer process spawning unexpected child processes). Watch for web traffic to known malicious domains or suspicious HTML being downloaded by users. Endpoint Detection and Response (EDR) tools should flag heap spraying activity or unusual memory access patterns during ANGLE rendering. Browser telemetry and crash reports (if enabled) may indicate exploitation attempts. Consider blocking known attack staging domains at the network perimeter.

Why prioritize this

This vulnerability merits high priority because it enables sandbox escape—one of the most critical attack paths in browser security. While it requires prior renderer compromise, sandbox escapes amplify the impact of any renderer vulnerability. Given that Chrome is ubiquitous in enterprise and consumer environments on Windows, and that renderer exploits are regularly discovered, the combined risk is substantial. Patch within 1–2 weeks to close this escalation vector.

Risk score, explained

CVSS 3.1 score of 8.3 reflects high severity: network attack vector (user visits a malicious page), high complexity (attacker needs prior renderer control), no special privileges required, user interaction needed, and the scope changes (sandbox boundary crossed). The score accounts for confidentiality, integrity, and availability impacts—successful exploitation could expose sensitive data, modify system state, or crash the browser and potentially the system.

Frequently asked questions

Does this affect me if I use Chrome on macOS or Linux?

No. The ANGLE graphics library and this specific buffer overflow only affect Windows builds of Chrome. macOS and Linux versions use different graphics interfaces (Metal and Vulkan, respectively) and are not vulnerable to this flaw.

If Chrome auto-updates, do I need to do anything?

Chrome should auto-update to 148.0.7778.216 automatically. However, verify the update completed by visiting Chrome menu > Help > About Google Chrome. If your organization disables auto-update or operates offline, manually initiate the update or download the patched version from google.com/chrome.

Can I be exploited if I just browse normally without downloading anything?

The vulnerability requires a malicious webpage to trigger the heap overflow, which can happen through normal browsing. However, exploitation also requires prior compromise of Chrome's renderer process—a separate vulnerability. If your Chrome is up-to-date against known renderer exploits, your risk is lower, but patching for this heap overflow closes the sandbox escape path entirely.

What is a sandbox escape and why is it critical?

Chrome's sandbox isolates the renderer process (which runs untrusted web content) from the full system. A sandbox escape allows an attacker to break out of that isolation and execute code with full system privileges. This is critical because it transforms a contained browser vulnerability into complete system compromise, enabling theft of all user data, installation of malware, or lateral movement in a network.

This analysis is based on vendor information and public data as of the modification date (June 17, 2026). Patch version numbers and availability should be verified against Google's official security advisories and your organization's systems. No exploit code or weaponized proof-of-concept details are provided. This document does not constitute legal or compliance advice. Organizations should tailor response plans to their specific risk tolerance, threat model, and regulatory environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).