HIGH 8.8

CVE-2026-9965: Critical Out-of-Bounds Write in Chrome ANGLE Graphics Library

A memory vulnerability in Google Chrome's ANGLE graphics library allows attackers to corrupt heap memory through a specially crafted webpage. When a user visits a malicious site, the attacker can trigger an out-of-bounds write operation that overwrites data beyond intended memory boundaries. This could lead to arbitrary code execution with the privileges of the browser process. The vulnerability requires user interaction (visiting a malicious page) but is otherwise trivial to deliver via normal web browsing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9965 is an out-of-bounds write vulnerability (CWE-787) in the ANGLE graphics translation layer used by Chrome. ANGLE abstracts DirectX, Metal, and OpenGL APIs to improve cross-platform graphics performance. The flaw allows a remote attacker to write data outside allocated heap buffers via crafted HTML and WebGL content. Successful exploitation results in heap corruption, potentially enabling arbitrary code execution. The vulnerability affects Chrome versions prior to 148.0.7778.216. The CVSS 3.1 score of 8.8 (High) reflects the network attack vector, low attack complexity, and high impact across confidentiality, integrity, and availability.

Business impact

This vulnerability poses a significant risk to organizations where employees use Chrome for work activities. An attacker can compromise user workstations by hosting malicious content on websites or injecting payloads into legitimate sites. Potential impacts include theft of credentials, session tokens, and sensitive data accessible to the user; installation of malware or remote access trojans; and lateral movement into corporate networks. Organizations relying on Chrome in security-sensitive roles (developers, DevOps, cloud administrators) face elevated risk due to the privileges available to compromised browser processes.

Affected systems

Google Chrome on Windows, macOS, and Linux is directly affected. All versions prior to 148.0.7778.216 contain this vulnerability. While the CVE references Apple macOS and Microsoft Windows as vendor-product combinations, the root issue is Chrome itself; affected systems are those running vulnerable Chrome installations on any supported OS. Linux systems using Chrome (including Chromium-based derivatives) are also in scope if running unpatched versions.

Exploitability

Exploitability is high from a practical standpoint. The attack requires only that a user visit a malicious or compromised webpage—no special configuration, authentication, or user action beyond normal browsing is needed. An attacker can host a weaponized site or compromise legitimate high-traffic pages to maximize reach. The Chromium security team classified this as High severity, and the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms remote, unauthenticated exploitation with minimal complexity. However, the vulnerability is not currently listed on CISA's KEV catalog, suggesting limited evidence of active exploitation at the time of advisory publication.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. Chrome's auto-update mechanism will typically deploy the patch within hours of release, but verify that auto-update is enabled in your environment. Users can manually check for updates via Chrome menu > Help > About Google Chrome. Organizations should confirm patch deployment across all endpoints and verify that no vulnerable versions remain accessible through legacy configurations or managed deployments.

Patch guidance

Prioritize Chrome patching as an urgent security task. Configure Chrome to auto-update if not already enabled. For managed enterprise deployments, verify that update policies are set to the latest stable channel. Test the patch in a non-production environment to rule out any compatibility issues with critical web-based applications before rolling out organization-wide. After patching, spot-check a sample of user devices to confirm version 148.0.7778.216 or later is running. Consider temporarily restricting access to untrusted websites during any delay in patch deployment.

Detection guidance

Monitor Chrome version inventory using your endpoint management or mobile device management tools to identify unpatched installations. Set alerts for systems reporting Chrome versions earlier than 148.0.7778.216. Web proxies and firewalls can log suspicious WebGL-based content delivery or pages with encoded exploit payloads, though detection is challenging without behavioral analysis. Monitor for unexpected child processes spawned from Chrome or abnormal network activity from Chrome processes post-compromise. Incident response teams should prioritize investigating any reports of unusual browser behavior, unexpected crashes, or unexplained system activity on machines where vulnerable Chrome versions were confirmed.

Why prioritize this

This vulnerability merits immediate patching. The combination of high CVSS score (8.8), trivial attack surface (any visited webpage), and high impact (remote code execution) makes it attractive to attackers. Although not yet listed on CISA's KEV, the technical characteristics suggest active exploitation is likely as researchers reverse-engineer the fix. Heap corruption vulnerabilities in browser engines have historically been weaponized quickly. Delaying patching significantly increases breach risk across your user base.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: Network-accessible attack vector (AV:N) requiring no special network positioning; low attack complexity (AC:L) with no need for authentication or special conditions; minimal user interaction limited to visiting a webpage (UI:R); and high impact across all three security dimensions—confidentiality (user data and credentials exposed), integrity (code execution enables malware installation), and availability (process crash or system compromise). The score appropriately represents a critical remote code execution vulnerability in widely-used software.

Frequently asked questions

Will auto-update in Chrome deploy this patch automatically?

Yes, if you have auto-update enabled (the default for most Chrome installations). Chrome will check for updates and deploy version 148.0.7778.216 or later within hours of release. You can manually trigger an update check via Chrome menu > Help > About Google Chrome.

What is ANGLE and why does it matter?

ANGLE (Almost Native Graphics Layer Engine) is a translation library that converts graphics API calls from applications into platform-specific formats (DirectX on Windows, Metal on macOS, OpenGL on Linux). Many browsers use ANGLE to improve performance and compatibility. This vulnerability is in ANGLE's code, which runs with browser privileges.

Can I be infected by just viewing a page with malicious JavaScript?

Yes. The attacker does not need you to download or install anything. A specially crafted webpage containing malicious WebGL content or HTML can trigger the out-of-bounds write in ANGLE when rendered by vulnerable Chrome. Simply visiting the page is sufficient.

Is this vulnerability in Chromium-based browsers other than Chrome?

Potentially. Other Chromium-based browsers (Edge, Opera, Brave, etc.) may be affected if they use a similarly vulnerable version of ANGLE. Check with those vendors for patch guidance. The CVE specifically names Google Chrome, so verify patch status with other vendors separately.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and technical details are sourced from official vulnerability databases and vendor advisories. While we have taken care to provide accurate information, organizations should verify patch availability, compatibility, and deployment procedures with official Chrome and vendor documentation. This explainer does not constitute professional security advice; consult your organization's security team and vendor advisories for guidance specific to your environment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).