How is CVE-2026-9910 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a remote crafted HTML page, so the service must be reachable from an external network origin. Authentication (not-required): No account or credential is needed; the attacker only needs to get the victim to load a URL. Victim interaction (required): The victim must visit a crafted HTML page, making this a social-engineering vector that requires the user to click a link or be redirected. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

What is the impact of CVE-2026-9910?

The attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of that sandboxed process. Confidentiality impact is high: the attacker reads memory contents within the sandbox, which may include session tokens, cached credentials, or page data. Integrity impact is high: the attacker writes or corrupts memory within the process, enabling data tampering or staging of a sandbox-escape chain. Availability impact is high: the attacker can crash or destabilize the affected Chrome process, terminating the user session.

Back to search

HIGHCVE-2026-9910Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9910: Out of bounds memory access in ANGLE in Google Chrome prior to 148

Out of bounds memory access in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Out-of-bounds memory access in the ANGLE graphics layer of Google Chrome (versions before 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the Chrome sandbox. The attack is reachable over the network, requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives the attacker code execution within the browser sandbox, with full read, write, and availability impact on the affected process. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9910 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chromium or Chrome binary. Both registry scans and active CI/CD pipeline checks are capable of surfacing affected versions.

Available

Triage

HarborGuard can score this CVE at CVSS 8.8 (HIGH) and weight it against each environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a remote crafted HTML page, so the service must be reachable from an external network origin.
AuthenticationNot required
No account or credential is needed; the attacker only needs to get the victim to load a URL.
Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector that requires the user to click a link or be redirected.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

Blast Radius

The attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of that sandboxed process.
Confidentiality impact is high: the attacker reads memory contents within the sandbox, which may include session tokens, cached credentials, or page data.
Integrity impact is high: the attacker writes or corrupts memory within the process, enabling data tampering or staging of a sandbox-escape chain.
Availability impact is high: the attacker can crash or destabilize the affected Chrome process, terminating the user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9910 is active across all scanned registries and pipelines, matching any image that packages a Chrome or Chromium binary older than 148.0.7778.216. For customers who opt into auto-remediation, HarborGuard triggers a rebuilt image at the patched version, runs a regression check, and opens a PR against affected workloads. For high-severity CVEs, the median time from publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual review before merging, the rebuilt image and regression results are staged and a triage ticket is routed to the configured owner for approval.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available