HarborGuard / CVE
Back to search
HIGHCVE-2026-9926Published Modified CNA Chrome

CVE-2026-9926: Heap buffer overflow in ANGLE in Google Chrome prior to 148

Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Heap buffer overflow in the ANGLE graphics layer of Google Chrome prior to version 148.0.7778.216 allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network but requires the victim to visit a malicious page, and exploitation is made harder by the high attack complexity rating (AC:H) in the CVSS vector. Successful exploitation gives the attacker full read, write, and crash capability outside the sandbox, effectively breaking Chrome's primary isolation boundary. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9926 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle or depend on a Chrome or Chromium installation. Any image carrying a Chrome version below 148.0.7778.216 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights the finding against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin.

  • AuthenticationNot required

    No account or credential is needed; any unauthenticated remote attacker can attempt to deliver the exploit page.

  • Victim interactionRequired

    The victim must navigate to or be social-engineered into loading the attacker-controlled HTML page in the affected Chrome browser.

  • Attack complexityDetail

    Exploitation is rated AC:H, meaning the attacker must first have compromised the renderer process before the heap overflow can be leveraged for sandbox escape, introducing a significant pre-condition.

Blast Radius

  • A successful attacker reads data from outside the Chrome sandbox, including files and memory regions that the renderer would normally be blocked from accessing.
  • The attacker writes arbitrary data outside the sandbox boundary, enabling persistent changes to the host filesystem or injection into other processes.
  • The attacker can crash the host-side Chrome process or dependent system components, causing a denial of service at the browser or OS level.
  • Because the sandbox is fully escaped, any subsequent payload runs with the privileges of the user who launched Chrome, not the restricted renderer context.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome below 148.0.7778.216 are flagged at ingest, scored at 8.3 HIGH, and a rebuild at the patched version is made available immediately. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where auto-remediation is not enabled, the finding routes to the assigned team inbox with full CVSS detail and image provenance so engineers can prioritize the upgrade manually. Given that exploitation requires a pre-compromised renderer, teams should also consider whether their deployment surfaces Chrome in a context where renderer compromise is plausible (for example, headless browser pipelines processing untrusted input), and apply network-policy isolation or input-validation controls as compensating measures while the patch is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References
CVE-2026-9926: Heap buffer overflow in ANGLE in Google Chrome prior to 148 | HarborGuard CVE