Description
Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the ANGLE graphics stack of Google Chrome, present in all releases before 148.0.7778.216, allows a remote attacker to execute arbitrary code from within the browser sandbox by loading a specially crafted HTML page. The vulnerability was rated high in Chromium’s internal severity assessment and is classified as a use‑after‑free (CWE‑416) with additional buffer underflow concerns (CWE‑825).

Affected Systems

Google Chrome desktop builds distributed through the Stable channel and any earlier channel, for both Windows, macOS, and Linux, that have not yet reached version 148.0.7778.216, are affected. The patch is included in all Chrome revisions equal to or newer than 148.0.7778.216 across all supported operating systems.

Risk and Exploitability

The asset exploitation probability, as measured by EPSS, is below 1 % and the vulnerability is not listed in CISA’s KEV catalog. However, the CVSS score of 8.8 indicates a severe risk. The likely attack vector is a malicious or phishing web page that a user visits; the page can include the crafted content that triggers the free‑after‑use and enables code execution inside the sandbox. No public exploits have been documented, but the high score, widespread user exposure, and web‑delivery potential make the threat realistic.

Generated by OpenCVE AI on May 29, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.216 or newer through the built‑in update mechanism.
  • If a patch cannot be applied immediately, launch Chrome with the flags "--disable-gpu" and "--disable-angle" to disable ANGLE, which removes the vulnerable graphics path.
  • Deploy web filtering or content‑blocking tools to reduce user exposure to malicious sites that might host the crafted HTML.

Generated by OpenCVE AI on May 29, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in ANGLE Allows Remote Code Execution via Crafted HTML Page chromium-browser: Use after free in ANGLE
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in ANGLE Allows Remote Code Execution via Crafted HTML Page

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T11:01:37.203Z

Reserved: 2026-05-28T17:24:52.881Z

Link: CVE-2026-9927

cve-icon Vulnrichment

Updated: 2026-05-29T10:35:03.246Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:50.800

Modified: 2026-05-29T17:49:54.513

Link: CVE-2026-9927

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9927 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:45:06Z

Weaknesses