How is CVE-2026-9916 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target host must be reachable and the user must browse to the attacker-controlled content. Authentication (not-required): No account or credential on the target system is needed; the attack is launched from an unauthenticated remote position. Victim interaction (required): The user must visit a crafted HTML page, meaning the attacker relies on social engineering or a malicious link to trigger the vulnerability. Attack complexity (info): Attack complexity is High, meaning the attacker must have first achieved a separate renderer-process compromise before this out-of-bounds write can be used for sandbox escape.

What is the impact of CVE-2026-9916?

Attacker writes data outside intended buffer bounds inside the ANGLE graphics layer, enabling control over memory that crosses the renderer sandbox boundary. A successful sandbox escape lets the attacker execute code with the privileges of the browser process on the host, outside Chrome's isolation constraints. Confidential data accessible to the browser process, including stored credentials, session tokens, and files the browser can read, becomes readable by the attacker. The attacker can modify or delete files and data accessible to the browser process, and can disrupt or crash the browser or dependent services.

Back to search

HIGHCVE-2026-9916Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9916: Out of bounds write in ANGLE in Google Chrome prior to 148

Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds write vulnerability exists in ANGLE, the graphics translation layer used by Google Chrome versions prior to 148.0.7778.216. The flaw is reachable over the network but requires the attacker to have already compromised the Chrome renderer process and to trick a user into visiting a crafted HTML page; successful exploitation enables a sandbox escape, granting the attacker capabilities beyond the browser's isolation boundary. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9916 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication. This matching covers both images pulled from public registries and custom-built images that bundle a Chrome or Chromium package.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (High) and weighting that score against each environment's compliance policy to determine urgency. Triage routing can direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run regression tests against it, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target host must be reachable and the user must browse to the attacker-controlled content.
AuthenticationNot required
No account or credential on the target system is needed; the attack is launched from an unauthenticated remote position.
Victim interactionRequired
The user must visit a crafted HTML page, meaning the attacker relies on social engineering or a malicious link to trigger the vulnerability.
Attack complexityDetail
Attack complexity is High, meaning the attacker must have first achieved a separate renderer-process compromise before this out-of-bounds write can be used for sandbox escape.

Blast Radius

Attacker writes data outside intended buffer bounds inside the ANGLE graphics layer, enabling control over memory that crosses the renderer sandbox boundary.
A successful sandbox escape lets the attacker execute code with the privileges of the browser process on the host, outside Chrome's isolation constraints.
Confidential data accessible to the browser process, including stored credentials, session tokens, and files the browser can read, becomes readable by the attacker.
The attacker can modify or delete files and data accessible to the browser process, and can disrupt or crash the browser or dependent services.

How HarborGuard Handles This

Available on HarborGuard: the fix version 148.0.7778.216 is tracked and a patched-image rebuild is available for any customer image found to carry an affected Chrome or Chromium package. For customers who opt into auto-remediation, HarborGuard can handle the full remediation flow, rebuilding the image at the patched version, running a regression test suite, and opening a pull request against affected workloads. For high-severity CVEs like this one, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can use HarborGuard's finding detail to identify every affected image by digest and tag, and prioritize by environment exposure. Given the sandbox-escape nature of this flaw, images that bundle Chrome for use in headless or automation workloads should be treated as high priority even in non-user-facing pipelines.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available