Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Heap buffer overflow in ANGLE in Google Chrome

IdentifiersCVE-2026-6296CWE-122· Heap-based Buffer Overflow

CVE-2026-6296 is a critical heap buffer overflow vulnerability in ANGLE affecting Google Chrome versions prior to 147.0.7727.101. ANGLE is Chrome’s graphics translation layer, and the flaw is described by Google as a heap buffer overflow reachable via web content. A remote attacker could trigger the vulnerable condition by convincing a target to load a crafted HTML page. Google states the issue could potentially be used to achieve a sandbox escape. Publicly available source material does not provide the exact vulnerable function or code path, but the bug is tracked in the Chromium issue tracker as issue 490170083.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow a remote attacker to cross Chrome’s normal renderer isolation boundary and potentially achieve a sandbox escape. The published CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) indicates high impact to confidentiality, integrity, and availability with scope changed, consistent with the possibility of arbitrary code execution or compromise of a more privileged process beyond the renderer. Google classified the issue as Critical.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround or configuration-based mitigation is provided in the available content. The practical mitigation is to apply the vendor update promptly and ensure all Chromium-based browsers in the environment have incorporated the fix. Standard browser-hardening measures may reduce exposure, but patching is the only confirmed mitigation in the provided material.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 147.0.7727.101 or later. On Windows and macOS, Google’s stable release for this fix was 147.0.7727.101/102; on Linux, 147.0.7727.101. Chromium-based browsers should also be updated once they incorporate the upstream Chromium fix for this issue.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
cyber security newsNews
Apr 16, 2026
Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code - Update Now!

A critical heap buffer overflow vulnerability in Chrome's ANGLE graphics engine that could enable arbitrary code execution.

Read more
cvefeed high severityNews
Apr 15, 2026
CVE-2026-6296 - Google Chrome ANGLE Heap Buffer Overflow

A critical heap buffer overflow vulnerability in ANGLE in Google Chrome that could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

Read more
chrome releases blogNews
Apr 15, 2026
Chrome Releases: Stable Channel Update for Desktop

A critical heap buffer overflow vulnerability in ANGLE in Google Chrome.

Read more
zeropath blogNews
Apr 15, 2026
Google Chrome CVE-2026-6297: Brief Summary of a Critical Use After Free in the Proxy Component Enabling Sandbox Escape - ZeroPath Blog | ZeroPath

A critical heap buffer overflow vulnerability in Chrome's ANGLE component mentioned as part of the same April 2026 Chrome security release.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-6296
NVD
nvd.nist.gov/vuln/detail/CVE-2026-6296
MITRE CWE · CWE-122
Heap-based Buffer Overflow
Vendor Advisory
chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html
Permissions Required
issues.chromium.org/issues/490170083