Description
Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in ANGLE, the graphics engine used by Google Chrome, can be triggered by a crafted HTML page when an attacker has already compromised the renderer process. The resulting sandbox escape elevates the attacker’s privileges and allows them to execute arbitrary code on the host machine. The weakness is identified as CWE‑416 and is also associated with CWE‑825.

Affected Systems

Google Chrome browsers earlier than version 148.0.7778.216 are vulnerable. The flaw was present in the stable channel and has been addressed in subsequent releases.

Risk and Exploitability

The CVE is rated as high severity by Chromium, and its EPSS score is 0.00035, which is below 1%, and it is not listed in the CISA KEV catalog. The likely attack vector involves a malicious HTML document that is rendered by a renderer process that has already been compromised; this requires the attacker to have some foothold in the renderer but does not require privileges on the host. Because the flaw permits sandbox escape, the risk to confidentiality, integrity, and availability is substantial if the vulnerability is exploited. Updating Chrome mitigates the issue, but until a patch is applied, systems remain at high risk.

Generated by OpenCVE AI on May 29, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later to apply the patch that fixes the ANGLE use‑after‑free flaw.
  • If an immediate upgrade is not feasible, run Chrome with GPU acceleration disabled (e.g., launch with the flag –‑disable-gpu) to reduce reliance on ANGLE, thereby limiting the exploitation surface.
  • Continuously monitor Chrome update releases and restrict browsers to the latest stable channel to avoid regression into older vulnerable builds.

Generated by OpenCVE AI on May 29, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in ANGLE
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T14:44:47.183Z

Reserved: 2026-05-28T17:24:52.480Z

Link: CVE-2026-9925

cve-icon Vulnrichment

Updated: 2026-05-29T14:44:41.235Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:50.600

Modified: 2026-05-29T17:14:31.493

Link: CVE-2026-9925

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9925 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:30:02Z

Weaknesses