Description
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input within ANGLE, a graphics abstraction layer in Google Chrome. The flaw allows a remote attacker who already has access to the renderer process—such as through a compromised web page—to potentially escape the renderer sandbox. This could give the attacker privileges beyond the browser’s limited sandbox, enabling them to execute arbitrary code or manipulate system resources. The weaknesses are identified as CWE-20 (Improper Input Validation) and CWE-1286.

Affected Systems

Google Chrome web browsers prior to version 148.0.7778.216 are affected. The issue has been reported for all platforms that ship Chrome in the stable channel before this release, it is inferred that Windows, macOS and Linux are affected. Versions 148.0.7778.216 and later contain the patch that restores proper input validation in ANGLE.

Risk and Exploitability

The EPSS score is < 1% and the CVSS score of 8.3 reflects a high severity level. The Chromium team has labeled the issue as high severity, and the vulnerability is not listed by CISA in its KEV catalog. Because exploitation requires the attacker to already control the renderer process, the risk is contingent on initial compromise of a web page. Nonetheless, if an attacker can deliver a crafted HTML page that triggers the flaw, they could gain elevated privileges on the host. This risk is amplified for users who frequently visit untrusted sites or download potentially malicious content.

Generated by OpenCVE AI on May 29, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Chrome update to 148.0.7778.216 or later, which includes a fix for ANGLE input validation.
  • Configure Chrome to automatically install security updates to prevent future exposure.
  • Avoid opening untrusted HTML content in the browser until the update has been applied, and consider using a network content filter to block malicious sites.

Generated by OpenCVE AI on May 29, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Vulnerability Enabling Sandbox Escape in Chrome chromium-browser: Insufficient validation of untrusted input in ANGLE
Weaknesses CWE-1286
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title ANGLE Input Validation Vulnerability Enabling Sandbox Escape in Chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T15:57:17.456Z

Reserved: 2026-05-28T17:25:07.245Z

Link: CVE-2026-9982

cve-icon Vulnrichment

Updated: 2026-05-29T15:57:14.510Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:56.437

Modified: 2026-05-29T16:16:39.960

Link: CVE-2026-9982

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9982 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses