Description
Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow exists in the ANGLE component of Google Chrome, affecting all releases prior to 148.0.7778.216. A malicious actor can deliver a specially crafted HTML page that triggers the overflow, enabling the attacker to corrupt heap memory, which could lead to arbitrary code execution or denial of service. The weakness is mapped to CWE-122 and CWE-131, classic buffer over-read/buffer overflow and integer overflow issues that directly impact integrity by allowing unauthorized memory modification.

Affected Systems

The vulnerability is present in Google Chrome. All builds before version 148.0.7778.216 are affected; users must check whether their browser falls within this range to determine exposure.

Risk and Exploitability

Chromium has labeled the issue as High severity and the CVSS score is 8.8. The EPSS score is less than 1%, indicating a very low exploitation probability. Nonetheless, the attack vector is remote via a crafted HTML page, making the threat level significant for any user who views untrusted content. The vulnerability is not listed in the CISA KEV catalog, but its high severity suggests that organizations could benefit from rapidly applying the fix.

Generated by OpenCVE AI on May 29, 2026 at 15:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later. This release contains the fix that eliminates the heap buffer overflow in ANGLE.
  • Configure Chrome’s auto‑update setting or a central policy to ensure all users receive the updated build without delay. Even if an environment restricts automatic updates, manually push the latest installer to all endpoints as soon as possible.
  • Implement monitoring for anomalous web‑traffic or malicious HTML content that could exploit heap overflows, and consider blocking known malicious domains until the patch can be applied.

Generated by OpenCVE AI on May 29, 2026 at 15:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Heap Overflow in Chrome ANGLE Component chromium-browser: Heap buffer overflow in ANGLE
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Heap Overflow in Chrome ANGLE Component

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T17:52:17.668Z

Reserved: 2026-05-28T17:24:56.188Z

Link: CVE-2026-9940

cve-icon Vulnrichment

Updated: 2026-05-29T17:52:13.756Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:52.123

Modified: 2026-05-29T19:16:30.097

Link: CVE-2026-9940

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9940 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:15:46Z

Weaknesses