Description
Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in the WebGL implementation of Google Chrome allows a maliciously crafted HTML page to trigger a memory corruption event. The bug, classified as CWE‑416 and CWE‑825, enables the attacker to execute arbitrary code within the browser’s sandboxed environment. Once inside the sandbox, the attacker may exploit privileged extensions or bypass access controls, effectively compromising the compromised client system.

Affected Systems

Google Chrome browsers on all supported platforms (Windows, macOS, Linux) older than version 146.0.7680.178 are vulnerable. The attack can be launched from any web page loaded in the affected browser.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8 and an EPSS probability of less than 1 %. It is not listed in the CISA KEV catalog, indicating that no publicly known exploits are currently available. The attack vector is remote, with an attacker delivering a malicious HTML document to the victim’s browser. If exploited, the attacker gains code execution capability without needing to escape the browser sandbox.

Generated by OpenCVE AI on April 2, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 146.0.7680.178 or later.
  • Verify that the browser version has been upgraded before proceeding.
  • If immediate update is not possible, disable WebGL in Chrome’s experimental features to reduce the surface area of the bug.

Generated by OpenCVE AI on April 2, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6192-1 chromium security update
History

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in WebGL
First Time appeared Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-825
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

threat_severity

Important

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-02T03:55:51.173Z

Reserved: 2026-03-31T20:07:14.383Z

Link: CVE-2026-5285

cve-icon Vulnrichment

Updated: 2026-04-01T13:45:54.116Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T05:16:01.953

Modified: 2026-04-02T00:16:24.800

Link: CVE-2026-5285

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T00:00:00Z

Links: CVE-2026-5285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:16Z

Weaknesses