Description
Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read and write flaw exists in the Angle graphics engine used by Google Chrome. The bug can be triggered by a specially crafted HTML page and may let a remote attacker escape the browser’s sandbox, potentially executing code outside the browser process and compromising system confidentiality and integrity.

Affected Systems

Google Chrome versions prior to 147.0.7727.138 are affected. The CVE entry does not specify affected platforms, so the flaw applies to any platform that uses the Angle graphics engine in Chrome.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, and the EPSS value of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker could serve a malicious web page to an unsuspecting user of an affected Chrome browser to trigger the memory corruption and attempt a sandbox escape, yielding potentially full system compromise.

Generated by OpenCVE AI on May 2, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or later to apply the vendor patch.
  • Validate that the browser sandbox remains enabled in your deployment configuration.
  • Keep Chrome automatically updated and monitor official security advisories for future patches.

Generated by OpenCVE AI on May 2, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6239-1 chromium security update
History

Fri, 01 May 2026 06:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Angle Engine Out-of-Bounds Read/Write Enables Sandbox Escape chromium-browser: Out of bounds read and write in Angle
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Chrome Angle Engine Out-of-Bounds Read/Write Enables Sandbox Escape
Weaknesses CWE-787
CWE-788

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-30T03:55:40.829Z

Reserved: 2026-04-28T20:02:45.328Z

Link: CVE-2026-7354

cve-icon Vulnrichment

Updated: 2026-04-29T18:26:25.101Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T23:16:22.977

Modified: 2026-04-30T16:38:18.927

Link: CVE-2026-7354

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7354 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses