CVE-2026-9904 Google CVE debrief

Who should care

Organizations with large Chrome deployments, security teams monitoring browser-based threats, and endpoint protection teams concerned with sandbox escape vulnerabilities that could enable further system compromise.

Technical summary

This vulnerability exists in ANGLE (Almost Native Graphics Layer Engine), which translates OpenGL ES API calls to native graphics APIs. A use-after-free condition can occur during graphics processing, potentially allowing an attacker to corrupt memory and escape the Chrome sandbox. The sandbox escape vector elevates the risk beyond typical browser memory corruption, as it could enable access to the underlying operating system. The fix was released in Chrome stable channel on May 28, 2026.

Defensive priority

high

Recommended defensive actions

• Upgrade Google Chrome to version 148.0.7778.216 or later to address this use-after-free vulnerability in ANGLE
• Monitor for unexpected browser crashes or sandbox escape attempts on endpoints running Chrome versions prior to 148.0.7778.216
• Review application logs for suspicious HTML page rendering activity that may indicate exploitation attempts
• Consider implementing site isolation policies and restricting execution of untrusted web content where feasible
• Apply security updates promptly as this vulnerability carries High severity and could enable sandbox escape

Evidence notes

Vulnerability description and patch information sourced from NVD record and official Chrome release notes. CWE-416 (Use After Free) confirmed by NVD weakness data. Vendor attribution to Google Chrome based on source references from [email protected].

Official resources