How is CVE-2026-9925 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the Chrome instance must be reachable or browsing to attacker-controlled content. Authentication (not-required): No credentials or account are needed; the attack is launched by getting a user to visit a crafted page on the open web. Victim interaction (required): A user must open or be redirected to the attacker-crafted HTML page, making this a social-engineering or drive-by-browse scenario. Attack complexity (info): Attack complexity is HIGH, meaning the attacker must first achieve renderer-process compromise as a prerequisite before the use-after-free can be leveraged for sandbox escape, introducing environmental dependencies beyond simple payload delivery.

What is the impact of CVE-2026-9925?

Attacker escapes the Chrome renderer sandbox, breaking out of the restricted process and into the broader host environment. Code runs with the privileges of the user account running Chrome, allowing reads of files, credentials, and session data accessible to that user. Attacker can write or modify files and data accessible to the user on the host, including persisted application data. The affected Chrome process and dependent browser services can be crashed or destabilized, causing loss of browser availability.

Back to search

HIGHCVE-2026-9925Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9925: Use after free in ANGLE in Google Chrome prior to 148

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in ANGLE (the graphics-layer translation library) in Google Chrome prior to version 148.0.7778.216. The vulnerability is reachable over the network, requires no authentication, but does require victim interaction and involves high attack complexity, derived from a CVSS 3.1 vector of AV:N/AC:H/PR:N/UI:R/S:C. A remote attacker who has already compromised the Chrome renderer process can exploit this memory-safety flaw to escape the browser sandbox, gaining execution capability outside the renderer's restricted environment. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9925 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication, including custom-built images that bundle a Chrome or Chromium installation. Any container image carrying a Chrome version below 148.0.7778.216 is flagged automatically.

Available

Triage

Triage is available with the CVSS 3.1 score of 8.3 (HIGH) applied to each matched image, weighted against the per-environment compliance policy configured by each customer org. Findings are routed to the inbox or ticket queue designated by each customer's policy, so the right team sees the alert without manual filtering.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the resulting image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the Chrome instance must be reachable or browsing to attacker-controlled content.
AuthenticationNot required
No credentials or account are needed; the attack is launched by getting a user to visit a crafted page on the open web.
Victim interactionRequired
A user must open or be redirected to the attacker-crafted HTML page, making this a social-engineering or drive-by-browse scenario.
Attack complexityDetail
Attack complexity is HIGH, meaning the attacker must first achieve renderer-process compromise as a prerequisite before the use-after-free can be leveraged for sandbox escape, introducing environmental dependencies beyond simple payload delivery.

Blast Radius

Attacker escapes the Chrome renderer sandbox, breaking out of the restricted process and into the broader host environment.
Code runs with the privileges of the user account running Chrome, allowing reads of files, credentials, and session data accessible to that user.
Attacker can write or modify files and data accessible to the user on the host, including persisted application data.
The affected Chrome process and dependent browser services can be crashed or destabilized, causing loss of browser availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9925 is active against all scanned images carrying Chrome below 148.0.7778.216, with results surfaced at CVSS 8.3 HIGH and routed per each customer's compliance policy. A patched-image rebuild at Chrome 148.0.7778.216 is available for any matched image. For customers who opt into auto-remediation, the full flow (rebuild, regression run, and PR opened against affected workloads) is triggered automatically upon detection; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the patched image is staged and the pull request is held for reviewer sign-off.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available