Description
Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an out‑of‑bounds read in the ANGLE graphics engine used by Google Chrome. A malicious web page can trigger the read of memory that is not owned by the page, exposing potentially sensitive data to the attacker. The Chromium team has rated the issue as High severity based on the potential confidentiality impact.

Affected Systems

Google Chrome desktop installations on all supported operating systems running any build prior to 148.0.7778.216 are vulnerable. These versions are present on Windows, macOS and Linux, and the regression is triggered by a crafted HTML page served over the network.

Risk and Exploitability

A remote attacker can exploit this weakness by hosting a malicious web page or tricking a user into opening one. The attack requires only the ability to serve or display a crafted page to the target browser; no authentication is needed. The CVSS score is 6.5, indicating a moderate severity. No public exploits or proof‑of‑concept code has been reported, and the EPSS score is < 1%. The vulnerability is not listed in CISA's KEV catalog, indicating it has not been observed in the wild at the time of reporting. The high severity rating from the Chromium project suggests that exploitation could lead to a significant confidentiality breach.

Generated by OpenCVE AI on May 29, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable version (148.0.7778.216 or later) which removes the ANGLE out‑of‑bounds read bug
  • Configure Chrome to automatically download and install security updates so that the patch is applied without manual intervention
  • After updating, restart the browser to ensure the new code is loaded and the vulnerability is no longer present

Generated by OpenCVE AI on May 29, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in ANGLE Leading to Remote Information Disclosure via Crafted HTML chromium-browser: Out of bounds read in ANGLE
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in ANGLE Leading to Remote Information Disclosure via Crafted HTML

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:24:02.770Z

Reserved: 2026-05-28T17:24:48.920Z

Link: CVE-2026-9908

cve-icon Vulnrichment

Updated: 2026-05-29T16:23:58.742Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:48.867

Modified: 2026-05-29T18:17:14.160

Link: CVE-2026-9908

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9908 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:45:16Z

Weaknesses