Description
Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a use‑after‑free in ANGLE, the graphics abstraction layer used by Google Chrome. The vulnerability, which exists in all Chrome releases prior to 148.0.7778.216, can be triggered by a crafted HTML page that is loaded by a renderer process that an attacker has already compromised. When triggered, the attacker can execute arbitrary code with the privileges of that renderer process, effectively gaining code‑execution rights on the host system. This matches CWE‑416 (Use After Free) and CWE‑825 (Exploitation of Memory Management).

Affected Systems

Google Chrome for desktop. Versions before 148.0.7778.216 are affected, as noted in the Chrome security release for May 2026. All users running those builds are at risk, especially if they have not applied recent security updates.

Risk and Exploitability

The CVSS score of 7.5 places this vulnerability in the High severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation at present, but the prerequisite of an already compromised renderer process suggests that the attack vector requires remote access to the browser via malicious content. The vulnerability is not listed in the CISA KEV catalog, so no known exploited instances have been published yet. The attack is inferred to be remote and mediated via the web.

Generated by OpenCVE AI on May 29, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.216 or later using the official update channel.
  • Ensure automatic updates are enabled so that future security patches are applied promptly.
  • If a rapid update cannot be performed, launch Chrome with the command‑line flag --disable-angle to disable ANGLE until the vulnerability is fully addressed.

Generated by OpenCVE AI on May 29, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in ANGLE
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T11:02:07.963Z

Reserved: 2026-05-28T17:24:47.370Z

Link: CVE-2026-9901

cve-icon Vulnrichment

Updated: 2026-05-29T10:36:56.247Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:48.110

Modified: 2026-05-29T16:47:53.353

Link: CVE-2026-9901

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9901 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:15:46Z

Weaknesses