How is CVE-2026-9914 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the affected Chrome instance must be reachable and able to browse to an attacker-controlled URL. Authentication (not-required): No account or credential is required; any user who visits the malicious page is a viable target. Victim interaction (required): The victim must navigate to or be socially engineered into loading the attacker-crafted HTML page in their browser. Attack complexity (info): Exploitation is rated high complexity because it chains a renderer-process compromise as a prerequisite before the ANGLE input-validation flaw can be used to escape the sandbox.

What is the impact of CVE-2026-9914?

Once the sandbox boundary is crossed, the attacker reads files, credentials, and session data accessible to the Chrome process on the host. The attacker writes or modifies files and data on the host system outside the sandbox, including user-profile data and potentially persistent storage. The attacker can terminate processes or consume host resources, disrupting the availability of the browser and other services on the machine. With code execution outside the sandbox, the attacker gains a foothold on the underlying host and can pivot to further compromise the local environment.

Back to search

HIGHCVE-2026-9914Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9914: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Insufficient input validation in ANGLE (Almost Native Graphics Layer Engine), the graphics translation layer inside Google Chrome, allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network but requires the victim to visit an attacker-controlled page, and exploitation is complicated by the high-complexity CVSS rating and the prerequisite of a renderer compromise. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the sandbox, effectively breaking Chrome's primary isolation boundary. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard scores this finding at CVSS 8.3 (High) and weights it against each environment's compliance policy to determine urgency and routing, delivering the finding to the appropriate team inbox inside the customer org.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the affected Chrome instance must be reachable and able to browse to an attacker-controlled URL.
AuthenticationNot required
No account or credential is required; any user who visits the malicious page is a viable target.
Victim interactionRequired
The victim must navigate to or be socially engineered into loading the attacker-crafted HTML page in their browser.
Attack complexityDetail
Exploitation is rated high complexity because it chains a renderer-process compromise as a prerequisite before the ANGLE input-validation flaw can be used to escape the sandbox.

Blast Radius

Once the sandbox boundary is crossed, the attacker reads files, credentials, and session data accessible to the Chrome process on the host.
The attacker writes or modifies files and data on the host system outside the sandbox, including user-profile data and potentially persistent storage.
The attacker can terminate processes or consume host resources, disrupting the availability of the browser and other services on the machine.
With code execution outside the sandbox, the attacker gains a foothold on the underlying host and can pivot to further compromise the local environment.

How HarborGuard Handles This

Available on HarborGuard: any image carrying a Chrome binary older than 148.0.7778.216 is flagged automatically as each ingest cycle runs. Because this is a High-severity sandbox-escape chaining graphics-layer input validation, it is prioritized accordingly in the triage queue. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that require manual review before merging, the finding card includes the fixed version, the CVSS vector, and a direct link to the Chromium security advisory so engineers have the full context needed to approve the change quickly.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available