Description
Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds read and write flaw exists in the Angle graphics engine used by Google Chrome. The vulnerability can be triggered by a specially crafted HTML page and may allow a remote attacker to escape the browser sandbox. If successful, the attacker could execute arbitrary code outside the browser process, compromising the host system's confidentiality and integrity.

Affected Systems

Google Chrome browsers that are older than version 147.0.7727.138 are vulnerable. The issue affects all platforms that ship with Chrome containing the old Angle engine, including Windows, macOS, Linux, Android, and iOS.

Risk and Exploitability

The CVSS severity is high, and the vulnerability is exploitable without the need for additional privileges. No EPSS data is available, and the issue is not currently listed in the CISA KEV catalog. Attackers can exploit the flaw by serving a malicious web page to a user running an affected Chrome browser. Because the flaw can lead to a sandbox escape, the impact is significant for both enterprise and consumer users.

Generated by OpenCVE AI on April 29, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.138 or later to apply the vendor patch.
  • Verify that the browser sandbox is enabled and that Chrome runs with its default sandboxed configuration.
  • Maintain regular updates to Chrome and monitor for additional security advisories to ensure continued protection.

Generated by OpenCVE AI on April 29, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Angle Engine Out-of-Bounds Read/Write Enables Sandbox Escape chromium-browser: Out of bounds read and write in Angle
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Wed, 29 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Chrome Angle Engine Out-of-Bounds Read/Write Enables Sandbox Escape
Weaknesses CWE-787
CWE-788

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-30T03:55:40.829Z

Reserved: 2026-04-28T20:02:45.328Z

Link: CVE-2026-7354

cve-icon Vulnrichment

Updated: 2026-04-29T18:26:25.101Z

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:22.977

Modified: 2026-04-29T19:16:25.193

Link: CVE-2026-7354

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7354 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:15:44Z

Weaknesses