PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6296 Google CVE debrief

A critical heap buffer overflow vulnerability in ANGLE, the graphics layer used by Google Chrome, enables remote attackers to potentially escape the browser sandbox through malicious HTML content. The flaw resides in Chrome versions prior to 147.0.7727.101 and carries a CVSS 3.1 score of 9.6, reflecting severe impact across confidentiality, integrity, and availability with low attack complexity. ANGLE (Almost Native Graphics Layer Engine) translates OpenGL ES API calls to platform-native graphics APIs, making this vulnerability particularly dangerous as it sits at a trust boundary between web content and the underlying operating system graphics stack. The sandbox escape potential elevates this beyond typical browser memory corruption bugs, as successful exploitation could grant attacker code execution at the user privilege level outside Chrome's restricted environment. Google assigned Chromium security severity 'Critical' to this issue. The vulnerability was disclosed in April 2026 and modified in NVD records as of late May 2026, with no known exploitation in ransomware campaigns per available threat intelligence.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-26
Advisory published
2026-04-15
Advisory updated
2026-05-26

Who should care

Enterprise security teams managing Chrome deployments, organizations with bring-your-own-device policies relying on browser isolation, developers of web-facing applications depending on Chrome sandbox guarantees, and incident response teams tracking browser exploitation chains. The sandbox escape potential makes this particularly relevant for high-security environments where browser compromise must remain contained.

Technical summary

The vulnerability exists in ANGLE, Chrome's translation layer between OpenGL ES and native platform graphics APIs. A heap buffer overflow condition allows crafted HTML pages to corrupt memory in ways that may subvert the browser's multi-process sandbox architecture. Successful exploitation could transition from renderer process compromise to code execution at the host operating system user privilege level. The attack vector requires user interaction (rendering malicious HTML) but no privileges, with network-based delivery and low complexity. Scope change (S:C) in CVSS indicates impact beyond the vulnerable component to the broader host environment.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Google Chrome to version 147.0.7727.101 or later immediately.
  • Verify automatic update mechanisms are enabled for Chrome installations across all managed endpoints.
  • For environments with extended validation requirements, confirm browser version through chrome://version/ and compare against fixed release.
  • Review endpoint detection and response (EDR) alerts for anomalous browser child process spawning or unexpected graphics API calls that may indicate exploitation attempts.
  • Consider implementing site isolation policies and disabling renderer code integrity where supported as defense-in-depth measures pending full fleet patching.
  • Monitor Chromium security advisories for any post-release stability or security updates to the 147.x branch.

Evidence notes

Vendor advisory confirms fix in Chrome 147.0.7727.101. NVD CPE data indicates affected product as Google Chrome with vulnerable versions prior to 147.0.7727.101. CWE-122 (Heap-based Buffer Overflow) assigned as primary weakness. CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H supports critical rating. Chromium issue tracker reference 490170083 exists but requires permissions to access.

Official resources

2026-04-15