CVE-2026-8567 Google CVE debrief

Who should care

Windows users running Google Chrome versions prior to 148.0.7778.168; enterprise security teams managing Chrome deployments; organizations with users who may visit untrusted web content.

Technical summary

The vulnerability exists in ANGLE (Almost Native Graphics Layer Engine), which translates OpenGL ES API calls to hardware-supported APIs on Windows. An integer overflow condition can occur during graphics processing, leading to an out-of-bounds memory write. The attack requires user interaction (visiting a malicious page) and results in integrity impact only, with no confidentiality or availability impact per CVSS scoring. The fix was included in Chrome 148.0.7778.168 released May 12, 2026.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on Windows systems to version 148.0.7778.168 or later to remediate this vulnerability.
• Verify Chrome version via chrome://settings/help and apply pending updates if automatic updates are not enabled.
• Consider enabling automatic updates for Chrome in enterprise environments to ensure timely patch deployment.
• Monitor for unusual browser crashes or graphics rendering anomalies that could indicate exploitation attempts.
• Review and apply principle of least privilege for user accounts to limit impact of potential browser-based attacks.

Evidence notes

Vulnerability description and affected versions confirmed via NVD CPE data and Google Chrome Release Notes. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N indicates network attack vector with user interaction required, resulting in low integrity impact. CWE-472 (External Control of Assumed-Immutable Web Parameter) listed as secondary weakness classification.

Official resources