Description
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insufficient validation of untrusted input in the ANGLE graphics abstraction layer of Google Chrome. This flaw permits a remote attacker to trigger arbitrary code execution by delivering a specially crafted HTML page. The weakness is identified as input validation issues (CWE‑20, CWE‑1286). Consequences include loss of confidentiality, integrity and availability of the affected system.

Affected Systems

Google Chrome versions prior to 148.0.7778.216 are affected. The issue was present in the stable channel before the 148.0.7778.216 update. All operating systems that run these Chrome versions are potentially impacted.

Risk and Exploitability

The CVE carries a CVSS score of 8.8. The EPSS score is less than 1%, indicating a low but non-zero probability of exploitation, but the flaw permits remote code execution and is not listed in CISA’s KEV catalog. Based on the description, a maliciously crafted HTML page can be used to trigger the vulnerability, making the risk practical for any user that opens such content.

Generated by OpenCVE AI on May 29, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 148.0.7778.216 or later to include the ANGLE input validation fix.
  • Keep automatic browser updates enabled so that future security patches are applied promptly.
  • Configure Chrome’s site isolation and sandboxing features to limit the impact of potential exploits.

Generated by OpenCVE AI on May 29, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in Chrome ANGLE Leads to Arbitrary Code Execution chromium-browser: Insufficient validation of untrusted input in ANGLE
Weaknesses CWE-1286
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in Chrome ANGLE Leads to Arbitrary Code Execution

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-30T03:56:04.976Z

Reserved: 2026-05-28T17:25:04.398Z

Link: CVE-2026-9969

cve-icon Vulnrichment

Updated: 2026-05-29T12:36:23.152Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:55.117

Modified: 2026-05-29T14:16:34.500

Link: CVE-2026-9969

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9969 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses