CVE-2026-9928: Critical Chrome ANGLE Out-of-Bounds Read Vulnerability on Windows
A memory safety flaw in Google Chrome's ANGLE graphics library allows attackers to read data outside intended memory boundaries. When a user visits a specially crafted webpage, this out-of-bounds read can be weaponized to execute arbitrary code on the affected Windows system. The vulnerability affects Chrome versions prior to 148.0.7778.216 and is rated High severity by Chromium's security team.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds read in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9928 is an out-of-bounds read vulnerability (CWE-125) in ANGLE, Chrome's abstraction layer for graphics APIs. The flaw exists in how ANGLE processes certain graphics rendering operations on Windows. By carefully constructing HTML content that triggers specific rendering paths, a remote attacker can read memory beyond allocated buffer boundaries. This information disclosure can leak values that bypass security mitigations, enabling subsequent arbitrary code execution within the Chrome process. The vulnerability requires user interaction (visiting a malicious page) but no additional privileges or special conditions.
Business impact
This vulnerability poses a significant risk to any organization where employees use Chrome on Windows. Successful exploitation leads to arbitrary code execution in the browser context, potentially allowing attackers to steal credentials, sensitive data, or establish persistence. Targeted campaigns could use this to compromise specific users in your organization. The relatively low complexity (standard HTML page) and minimal user interaction required make this a practical attack vector for both mass campaigns and targeted intrusions.
Affected systems
Google Chrome on Microsoft Windows systems running versions prior to 148.0.7778.216 are affected. Users on other operating systems (macOS, Linux, Android, iOS) are not vulnerable to this specific flaw. The vulnerability affects all Chrome installations on vulnerable Windows versions; auto-update may have already remediated this for many users, but manual verification is recommended.
Exploitability
The exploitability is moderate-to-high. While the vulnerability requires a user to visit a malicious website or open a weaponized HTML document, no elevated privileges or special system configuration is needed. ANGLE's role in routine graphics rendering means the vulnerable code path can be triggered reliably. However, successful code execution exploitation requires chaining the information disclosure with additional techniques, making truly reliable weaponization non-trivial but feasible for skilled attackers. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Users with auto-update enabled may already be protected; verify your version via Chrome's About menu (chrome://about). For organizations managing Chrome deployments, push version 148.0.7778.216 or newer through your deployment mechanisms. No workarounds exist for unpatched systems, so prompt patching is critical.
Patch guidance
Verify you are running Chrome version 148.0.7778.216 or later by navigating to chrome://about, which also shows auto-update status. If auto-update is enabled and your version is older than 148.0.7778.216, manually trigger an update restart. For managed deployments, use your organization's Chrome policy infrastructure to enforce minimum version requirements and verify compliance. Test patches in a non-production environment first to ensure compatibility with internal web applications or extensions.
Detection guidance
Network-level detection is challenging due to the rendering-based nature of the exploit. Endpoint detection should focus on Chrome process anomalies: monitor for unexpected child processes spawned by Chrome, abnormal file access patterns, or network connections initiated by the browser. Browser crash reports and renderer process exits may indicate exploitation attempts. Web proxy logs showing access to suspicious or newly registered domains visited just before Chrome crashes warrant investigation. Consider enabling Chrome's Enhanced Safe Browsing for additional protection against malicious pages.
Why prioritize this
This vulnerability merits immediate attention due to its High CVSS score (8.8), remote network exploitability, minimal user friction, and the ubiquity of Chrome in enterprise environments. The combination of information disclosure and arbitrary code execution in a widely-used application creates significant organizational risk. Although not yet on CISA's KEV list, the straightforward attack surface makes it a likely target for adversary development.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: remote network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is severe—confidentiality, integrity, and availability are all compromised (C:H/I:H/A:H). The score appropriately captures the threat: easy-to-exploit for attackers yet requiring victims to click or visit a malicious page. The High severity aligns with Chromium's assessment and the real-world threat landscape.
Frequently asked questions
Do I need to worry about this if I use Chrome on macOS or Linux?
No, this specific vulnerability affects only Windows systems. ANGLE, the graphics library at fault, is primarily used on Windows. If you're on macOS or Linux, you're not vulnerable to CVE-2026-9928, though you should still maintain current Chrome versions for other security fixes.
I have auto-update enabled. Am I already protected?
Likely, but verify. Open chrome://about to see your version. If it shows 148.0.7778.216 or newer and auto-update is enabled, you're protected. If your version is older and auto-update is on, click the update button and restart Chrome.
What's the difference between the information disclosure and the code execution?
The out-of-bounds read allows the attacker to leak sensitive memory values that protect against code execution (such as addresses used by ASLR). Once those values are known, the attacker can craft a secondary exploit to actually run arbitrary code. Both steps happen during a single malicious page visit.
Should I block Chrome at my organization until we patch?
Blocking Chrome entirely is excessive given that many users likely auto-update. Instead, prioritize rapid patch deployment, monitor for exploitation attempts, and consider temporary increased monitoring of Chrome processes. Communicate the update urgently to users and validate deployment completion within 48–72 hours.
This analysis is based on official CVE records, Chromium security advisories, and publicly available threat intelligence as of the analysis date. Security landscapes evolve; verify all patch versions and affected product lists against official vendor advisories before deployment decisions. This document does not constitute legal or compliance advice. Organizations must assess applicability within their own risk frameworks and technical environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide
- CVE-2026-9975HIGHChrome ANGLE Sandbox Escape – Out-of-Bounds Memory Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure