How is CVE-2026-9969 exploited?

Network reachability (required): The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin. Authentication (not-required): No account or credential is needed on the targeted system; the attacker operates as an anonymous remote party. Victim interaction (required): The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by scenario. Attack complexity (info): Exploit complexity is low, meaning no race conditions or special environmental factors are required and exploitation is reliable when the victim loads the page.

What is the impact of CVE-2026-9969?

The attacker executes arbitrary code in the Chrome browser process, gaining the same privileges as the running browser instance. Confidential data accessible to the browser, including session tokens, saved credentials, and locally cached files, is exposed to the attacker. The attacker can write or modify data within the browser's storage and any files the browser process has write access to. The browser process can be crashed or kept under attacker control, disrupting the user's session and any dependent services.

Back to search

HIGHCVE-2026-9969Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9969: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Insufficient input validation in ANGLE, the graphics abstraction layer used by Google Chrome, allows a remote attacker to execute arbitrary code. The vulnerability is reachable over the network and requires no authentication, though the victim must visit a crafted HTML page. Successful exploitation gives the attacker full code execution in the context of the browser process, enabling data theft, tampering, or further system compromise. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9969 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle a Chromium or Chrome binary below version 148.0.7778.216.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting it further against each customer organization's compliance policy to surface urgency appropriately. Triage routing to the correct team inbox within each org is available based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin.
AuthenticationNot required
No account or credential is needed on the targeted system; the attacker operates as an anonymous remote party.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by scenario.
Attack complexityDetail
Exploit complexity is low, meaning no race conditions or special environmental factors are required and exploitation is reliable when the victim loads the page.

Blast Radius

The attacker executes arbitrary code in the Chrome browser process, gaining the same privileges as the running browser instance.
Confidential data accessible to the browser, including session tokens, saved credentials, and locally cached files, is exposed to the attacker.
The attacker can write or modify data within the browser's storage and any files the browser process has write access to.
The browser process can be crashed or kept under attacker control, disrupting the user's session and any dependent services.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all images in connected registries and pipelines within minutes of publication, including custom images that ship a Chrome or Chromium binary. Where compliance policy permits, HarborGuard can trigger a patched-image rebuild pinned to version 148.0.7778.216; for customers with auto-remediation enabled, the pipeline performs the rebuild, executes regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. Customers not yet on auto-remediation can use the HarborGuard findings feed to prioritize manual remediation, and network-policy controls (restricting outbound access from containers that bundle Chrome) are available as a compensating control while upgrades are scheduled.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available