Description
Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability in the ANGLE graphics layer of Google Chrome on Windows allows a remote attacker to execute arbitrary code within the browser sandbox. The flaw is triggered by a specially crafted HTML page that causes a freed GPU resource to be accessed again, granting the attacker code‑execution privileges with the privileges of the Chrome process. The impact is high, giving an attacker the ability to run arbitrary code on the victim’s system from a malicious web page.

Affected Systems

Google Chrome installations on Windows that are older than version 149.0.7827.53 are affected. The flaw exists in the ANGLE component used by Chrome on Windows only, and does not impact other operating systems or non‑Chromium browsers.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity vulnerability. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, which suggests no documented exploitation in the wild so far. The likely attack vector is a remote, crafted HTML page served over HTTP/HTTPS; the attacker needs the victim to visit the malicious page to trigger the flaw. While exploitation requires a specific payload, the high CVSS score and absence of mitigating controls in affected builds represent a realistic risk to users who have not applied the latest patch.

Generated by OpenCVE AI on June 5, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or newer on Windows.
  • If an update cannot be applied immediately, disable hardware acceleration in Chrome to prevent ANGLE from being initialized: Settings → Advanced → System → toggle off "Use hardware acceleration when available".
  • Maintain Safe Browsing and other anti‑phishing protections enabled in Chrome to reduce the chance of visiting malicious sites.

Generated by OpenCVE AI on June 5, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in ANGLE Enables Remote Code Execution via Crafted HTML in Chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T00:32:41.268Z

Reserved: 2026-06-04T17:06:04.838Z

Link: CVE-2026-10914

cve-icon Vulnrichment

Updated: 2026-06-05T00:26:22.787Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:53.473

Modified: 2026-06-05T02:16:55.100

Link: CVE-2026-10914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses