Description
Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome users can be exposed to unintended data leakage due to an integer overflow bug in ANGLE, the graphics abstraction layer used by recent Chrome builds. An attacker can supply a specially crafted HTML page that triggers the overflow and causes the browser to read memory beyond its intended bounds. The result is that data belonging to another origin can be exposed to the attacker’s page, effectively allowing remote data exfiltration from the victim's machine.

Affected Systems

Google Chrome versions earlier than 148.0.7778.216 are vulnerable. This includes all stable‑channel builds released before the Chrome update published in early May 2026. Any system running one of those builds on desktop platforms is potentially affected.

Risk and Exploitability

The vulnerability’s severity is listed as Critical by Chromium. The CVSS score of 4.3 indicates medium severity, and EPSS score of < 1% indicates a low likelihood of exploitation. The combination of a low‑effort attack vector—remote delivery via a malicious web page—and the high impact suggests a lower likelihood of exploitation compared to higher EPSS scores. There is no indication the issue is listed in CISA’s KEV catalog. The attack requires the victim to visit a crafted page, which is typical of many web‑based vulnerabilities. Because the flaw lies in a core platform component, all users who can render the malicious content are at risk.

Generated by OpenCVE AI on May 29, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.216 or later, ensuring that the patch bundle containing the ANGLE fix is installed.
  • Enable automatic updates or configure your enterprise update policy to push the latest stable release to all managed devices.
  • Monitor web traffic for anomalous cross‑origin requests and block or quarantine any sources that consistently generate suspicious HTML content.

Generated by OpenCVE AI on May 29, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in ANGLE Allows Remote Cross‑Origin Data Leakage chromium-browser: Integer overflow in ANGLE
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Critical

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in ANGLE Allows Remote Cross‑Origin Data Leakage

Fri, 29 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:49:28.202Z

Reserved: 2026-05-28T17:24:42.789Z

Link: CVE-2026-9882

cve-icon Vulnrichment

Updated: 2026-05-29T16:49:24.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:46.160

Modified: 2026-05-29T18:44:48.317

Link: CVE-2026-9882

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9882 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses