How is CVE-2026-9915 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable or the victim must browse to an attacker-controlled URL. Authentication (not-required): No account or credential is needed; any user browsing to the crafted page is a viable target. Victim interaction (required): The victim must open a crafted HTML page, meaning the attacker must socially engineer the user into visiting a malicious URL or embedded frame. Attack complexity (info): Exploitation is rated High complexity because the attacker must have already compromised the renderer process before the heap overflow can be used for a sandbox escape, introducing a prerequisite exploitation stage.

What is the impact of CVE-2026-9915?

The attacker breaks out of Chrome's sandbox and executes arbitrary code as the OS user running Chrome. Files, credentials, and secrets readable by that OS user become accessible to the attacker. The attacker can write or delete files on the host filesystem, including configuration, keys, and application data. The attacker can crash or destabilize host processes beyond the browser, disrupting services running under the same user context.

Back to search

HIGHCVE-2026-9915Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9915: Heap buffer overflow in ANGLE in Google Chrome prior to 148

Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap buffer overflow in ANGLE, the graphics abstraction layer inside Google Chrome, affects all Chrome versions prior to 148.0.7778.216. The vulnerability is reachable over the network but requires the attacker to have already compromised the renderer process; a victim must also open a crafted HTML page. Successful exploitation allows the attacker to escape Chrome's sandbox, giving them full code execution on the host system with the ability to read, modify, or destroy data outside the browser process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9915 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle a Chromium or Chrome binary, not only official base images.

Available

Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and is capable of applying per-environment compliance policy weighting to escalate or suppress routing based on each organization's risk posture. Triage findings are routed to the appropriate team inbox within each customer organization according to configured policy.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to contain an affected Chrome or Chromium version. For customers who opt into auto-remediation, HarborGuard runs a rebuild plus regression tests and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable or the victim must browse to an attacker-controlled URL.
AuthenticationNot required
No account or credential is needed; any user browsing to the crafted page is a viable target.
Victim interactionRequired
The victim must open a crafted HTML page, meaning the attacker must socially engineer the user into visiting a malicious URL or embedded frame.
Attack complexityDetail
Exploitation is rated High complexity because the attacker must have already compromised the renderer process before the heap overflow can be used for a sandbox escape, introducing a prerequisite exploitation stage.

Blast Radius

The attacker breaks out of Chrome's sandbox and executes arbitrary code as the OS user running Chrome.
Files, credentials, and secrets readable by that OS user become accessible to the attacker.
The attacker can write or delete files on the host filesystem, including configuration, keys, and application data.
The attacker can crash or destabilize host processes beyond the browser, disrupting services running under the same user context.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome or Chromium binary below version 148.0.7778.216 is flagged immediately upon ingest, using feed data ingested within minutes of the CVE's publication date of 2026-05-28. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at Chrome 148.0.7778.216, executes a regression test run, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding appears in the team inbox with severity 8.3 HIGH and fix-version metadata attached so engineers can act without additional research. Because this is a browser-layer vulnerability requiring a compromised renderer as a precondition, teams shipping server-side container images with embedded Chrome (for headless rendering workloads) should treat this as critical-priority patching given the elevated privilege those processes often carry.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available