Google Angle: 10 Memory Safety Bugs Disclosed in Chrome 148 Update
Google disclosed 10 vulnerabilities in its ANGLE graphics layer as part of a massive Chrome 148 security update, with several bugs rated High severity and some enabling sandbox escape.
Key findings
- 10 ANGLE CVEs disclosed in a single Chrome 148 security update on May 28, 2026
- 5 of the 10 bugs enable sandbox escape after renderer compromise
- CVE-2026-9882 rated Critical by Chromium despite a CVSSv3 score of 6.5
- Bug classes include use-after-free, heap buffer overflow, integer overflow, and out-of-bounds write
- All vulnerabilities fixed in Chrome 148.0.7778.216 (Windows/Mac/Linux)
- Part of a larger 151-vulnerability Chrome update that included 22 Critical bugs
Google's ANGLE (Almost Native Graphics Layer Engine) — the critical translation layer that converts OpenGL ES calls to DirectX, Vulkan, or Metal — was the target of a 10-CVE disclosure event on May 28, 2026, all fixed in Chrome version 148.0.7778.216. The batch was published as part of a much larger Chrome security update that addressed 151 total vulnerabilities across the browser, including 22 rated Critical Cyber Security News.
The ANGLE bugs break down into three primary memory-safety categories: use-after-free, heap buffer overflow, and integer overflow. Four of the CVEs — CVE-2026-9941, CVE-2026-9932, CVE-2026-9904, and CVE-2026-9940 — involve use-after-free conditions. CVE-2026-9941 (CVSS 8.8) allows arbitrary code execution inside the sandbox via a crafted HTML page, while CVE-2026-9932 (CVSS 8.3) and CVE-2026-9904 (CVSS 8.3) both enable sandbox escape on Windows and cross-platform respectively, but only after an attacker has already compromised the renderer process.
Heap buffer overflow bugs make up another cluster. CVE-2026-9940 (CVSS 8.8) allows a remote attacker to exploit heap corruption from a crafted HTML page. CVE-2026-9926 (CVSS 8.3) and CVE-2026-9924 (CVSS 8.3) both enable sandbox escape via heap buffer overflow, with CVE-2026-9924 specifically affecting Windows systems. An out-of-bounds write vulnerability, CVE-2026-9900 (CVSS 8.3), also enables sandbox escape after renderer compromise.
Three integer overflow bugs round out the batch. CVE-2026-9911 (CVSS 4.3, though Chromium rated it High severity) allows an out-of-bounds memory read. More critically, CVE-2026-9882 (CVSS 6.5) and CVE-2026-10019 (CVSS 8.8) both allow cross-origin data leakage — a particularly dangerous class of bug in a graphics engine that processes content from multiple origins. Notably, Chromium assigned CVE-2026-9882 a severity of Critical internally, even though the CVSSv3 score is 6.5, indicating the Chromium team assessed the real-world risk of cross-origin data exposure as higher than the raw score suggests.
The sandbox-escape CVEs (CVE-2026-9932, CVE-2026-9926, CVE-2026-9924, CVE-2026-9904, CVE-2026-9900) share a common attack chain: an attacker first compromises the Chrome renderer process (via a separate bug like CVE-2026-9941 or CVE-2026-9940), then uses the ANGLE vulnerability to break out of the browser sandbox and gain code execution on the underlying operating system. This two-step escalation pattern is a well-known attack surface in Chromium's architecture, where ANGLE's privileged GPU process access makes it a prime sandbox-escape target.
All 10 CVEs affect Chrome versions prior to 148.0.7778.216 on Windows, 148.0.7778.215/216 on macOS, and 148.0.7778.215 on Linux. Google has released the patched builds to the Stable channel, with rollout scheduled over the coming days and weeks. As is standard practice for Chrome security updates, Google is restricting detailed bug information until most users have received the patch to reduce the window for weaponization Cyber Security News.
For organizations running Chrome in enterprise environments, this batch underscores the importance of treating ANGLE — a component most users never interact with directly — as a critical security boundary. The combination of code-execution bugs in the renderer and sandbox-escape bugs in ANGLE means that chaining even two of these vulnerabilities could give an attacker full system access from a single malicious webpage. Administrators should prioritize deploying Chrome 148.0.7778.216 or later across all platforms.