HarborGuard / CVE
Back to search
HIGHCVE-2026-9975Published Modified CNA Chrome

CVE-2026-9975: Out of bounds read and write in ANGLE in Google Chrome prior to 148

Out of bounds read and write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read and write vulnerability exists in ANGLE, the graphics abstraction layer embedded in Google Chrome versions prior to 148.0.7778.216. The flaw is reachable over the network and requires no authentication, but does require an attacker to have already compromised the Chrome renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, granting the attacker code execution or data access outside the browser's sandboxed environment. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9975 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle a Chromium or Chrome runtime.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (High) and weighting that score against each environment's compliance policy to determine priority. Triage routing to the appropriate team inbox within each customer organization is available automatically on detection.

Available
Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run regression tests, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the target over the network, as the attack is delivered via a crafted HTML page served remotely (CVSS AV:N).

  • AuthenticationNot required

    No account or credential is needed to initiate the attack; the crafted page can be served to any unauthenticated browser session (CVSS PR:N).

  • Victim interactionRequired

    The target user must visit the attacker-controlled or attacker-crafted HTML page for the exploit chain to proceed (CVSS UI:R).

  • Attack complexityDetail

    Exploitation is rated High complexity (CVSS AC:H), meaning the attacker must already have compromised the Chrome renderer process before the out-of-bounds primitive can be used for a sandbox escape; this is a significant precondition beyond simply serving a malicious page.

Blast Radius

  • A successful attacker escapes the Chrome sandbox and gains code execution in the context of the browser process on the host system.
  • Confidential data accessible to the browser process, including stored credentials, session tokens, and user profile data, can be read.
  • The attacker can write to memory and file system locations accessible outside the sandbox, enabling tampering with persisted application data.
  • The combination of high confidentiality, integrity, and availability impact (CVSS C:H/I:H/A:H) means the attacker can also crash or destabilize the affected process and any dependent services.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9975 activates as soon as the CVE is ingested, matching any image that packages a Chrome or Chromium binary below version 148.0.7778.216. A patched-image rebuild at 148.0.7778.216 becomes available immediately upon detection. For customers who opt into auto-remediation, HarborGuard triggers a rebuild of the affected image, executes a regression test run, and opens a pull request against the affected workload; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the triage queue so the responsible team can review and merge on their own schedule. Because this exploit requires a pre-compromised renderer process, teams that cannot immediately apply the patch should consider network-policy controls that limit outbound connections from container workloads running Chrome-based processes, reducing the attacker's ability to serve the crafted page through a compromised upstream dependency.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References