CVE-2026-9953 Google CVE debrief

Who should care

Organizations with unmanaged or slow-to-update Chrome deployments, particularly those in high-threat environments where targeted phishing or drive-by compromise is a concern. Also relevant for VDI and remote browser isolation providers relying on Chrome rendering engines.

Technical summary

The vulnerability exists in ANGLE, the translation layer used by Chrome to translate OpenGL ES API calls to native graphics APIs (DirectX, Metal, Vulkan, or desktop OpenGL). An out-of-bounds read (CWE-125) can be triggered when processing crafted HTML content, allowing a remote attacker to read sensitive data from process memory. The attack requires user interaction (rendering a malicious page) but needs no privileges. The confidentiality impact is rated High per the CVSS vector, with no integrity or availability impact. The fix was released in Chrome 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

• Upgrade Google Chrome to version 148.0.7778.216 or later to eliminate the vulnerable ANGLE code path.
• Restrict or monitor execution of untrusted HTML content in browser environments until patching is complete.
• Review browser memory isolation policies and site isolation settings as compensating controls against renderer process memory disclosure.
• Monitor for anomalous renderer crashes or GPU process errors that may indicate attempted exploitation of ANGLE parsing flaws.

Evidence notes

CVE description confirms out-of-bounds read in ANGLE with information disclosure impact. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N yields a base score of 6.5 (Medium). Chromium severity is High. NVD status is Undergoing Analysis. No KEV listing present. Vendor attribution is to Google Chrome based on source references, though the vendor field in source data is marked low-confidence and flagged for review.

Official resources