HIGH 8.8

CVE-2026-9941: Use-After-Free in Chrome ANGLE Graphics Library RCE

A use-after-free flaw in Chrome's ANGLE graphics library allows attackers to run arbitrary code within Chrome's sandbox by serving a malicious HTML page. An attacker would need to trick a user into visiting a crafted website; no special privileges or system access are required. Chrome versions before 148.0.7778.216 are vulnerable.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9941 is a use-after-free vulnerability (CWE-416) in ANGLE, the graphics abstraction layer used by Google Chrome. The flaw permits remote code execution inside the Chrome sandbox with no authentication or special configuration required. The attack vector is network-based and requires user interaction (visiting a malicious page). Chromium's security team rated this High severity. The CVSS 3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability within the sandboxed process.

Business impact

This vulnerability poses a direct risk to any organization where employees browse the web using Chrome. Exploitation could lead to data exfiltration from the renderer process, privilege escalation out of the sandbox, or lateral movement within a network if combined with additional flaws. Organizations relying on Chrome's sandbox as a primary defense against malicious websites should prioritize patching immediately. Remote workforce and BYOD environments face elevated risk if patch deployment is delayed.

Affected systems

Google Chrome versions prior to 148.0.7778.216 are affected. This includes all platforms (Windows, macOS, Linux, Android, iOS) running vulnerable Chrome builds. Chrome OS devices, Android devices with Chrome, and iOS devices running Chrome are all in scope. Organizations should inventory Chrome deployments across their infrastructure and verify current versions against the patched release.

Exploitability

Exploitation requires only a network connection and user interaction—the attacker must convince or trick a user into visiting a malicious HTML page. No complex exploit chains are needed to trigger the vulnerability. Sandbox escape is theoretically possible if additional vulnerabilities are chained; however, the use-after-free itself is confined to the renderer process. The relatively low complexity and user-interaction requirement suggest moderate-to-high real-world exploit likelihood, especially in targeted campaigns.

Remediation

Update Google Chrome to version 148.0.7778.216 or later. Chrome's automatic update mechanism typically deploys patches within hours to days of release. Enterprise administrators should verify deployment completion across their fleet. For organizations with auto-update disabled, manual update policies should be activated or patches applied immediately. Verify the updated version in Chrome's About page (chrome://about) after patching.

Patch guidance

Google Chrome will auto-update for most users; check chrome://settings/help to confirm the running version matches 148.0.7778.216 or higher. Enterprise deployments should consult the Chromium release notes and security advisory for any configuration-specific deployment guidance. Apply patches as soon as testing confirms compatibility with your environment. Monitor Chrome update channels (stable, beta, dev) to confirm rollout progress. No interim mitigations are a substitute for patching.

Detection guidance

Monitor for unusual Chrome process behavior, including unexpected crashes or hang events that may indicate exploitation attempts. Network-based detection is difficult since the attack occurs entirely within an HTTPS session. Endpoint detection should focus on Chrome sandbox escape indicators—unexpected child processes spawned by Chrome renderers, unusual file operations, or network connections from chrome.exe/chromium processes. Web proxy logs may capture malicious HTML delivery if the site is known. Consider blocking access to known malicious domains if intelligence is available.

Why prioritize this

This vulnerability merits urgent patching due to the combination of high CVSS score (8.8), sandbox-breakout potential, and the prevalence of Chrome in enterprise and consumer environments. The attack vector (user visit to a website) is common and difficult to prevent through network controls alone. Threat actors frequently target memory corruption flaws like use-after-free for in-the-wild exploitation. The lack of KEV listing does not diminish the need for rapid remediation.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) Network attack vector with no privileges required, (2) Low attack complexity, (3) User interaction needed (reduces from critical), (4) Scope unchanged (sandbox confinement), (5) High impact on confidentiality, integrity, and availability. The score appropriately captures the severity within the sandboxed renderer process and potential for further exploitation. Organizations should treat this as a critical patch despite the sandbox isolation.

Frequently asked questions

Does this vulnerability require user interaction?

Yes, an attacker must trick or convince a user to visit a malicious HTML page. However, this is a common attack vector and difficult to defend against through policy alone. All users browsing the internet are at risk.

Can this vulnerability be exploited through email or other non-web vectors?

The vulnerability itself is triggered via crafted HTML, so exploitation requires rendering that HTML in Chrome. Email-based attack would require the user to open a malicious attachment or click a link to a malicious website.

Does Chrome's sandbox prevent all exploitation?

The use-after-free flaw is confined to the renderer process sandbox, limiting direct system impact. However, sandbox escape via chaining with other vulnerabilities is theoretically possible. Patching remains essential.

What is ANGLE and why is this significant?

ANGLE is an abstraction layer between web content and graphics APIs (DirectX, OpenGL, Vulkan). Flaws in ANGLE affect rendering security across all of Chrome. This component is critical to Chrome's architecture, making vulnerabilities here high-priority.

This analysis is based on publicly available CVE data and Chromium security advisories current as of the publication date. No exploit code or weaponized proof-of-concept details are provided. Organizations should verify patch availability and compatibility within their environment before deployment. This document is for informational purposes and does not constitute professional security advice. Consult your security team and vendor guidance for remediation timelines specific to your organization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).