Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE graphics translation layer, allowing a remote attacker who lures a user to a crafted HTML page to bypass same-origin protections and exfiltrate sensitive data from other domains. The flaw carries a CVSS 8.8 rating due to network reachability and high impact across confidentiality, integrity, and availability, though Chromium itself rates the severity as Medium. EPSS is very low at 0.03% (11th percentile) and no public exploit identified at time of analysis, indicating limited near-term exploitation pressure despite the high CVSS.
Technical ContextAI
ANGLE (Almost Native Graphics Layer Engine) is Chromium's translation library that maps WebGL and other OpenGL ES API calls onto the host platform's native graphics stack (Direct3D on Windows, Metal on macOS, Vulkan/OpenGL on Linux), and it is exposed to untrusted web content through the renderer process. CWE-472 (External Control of Assumed-Immutable Web Parameter) is unusual for a graphics-layer integer overflow; the more common root-cause class for ANGLE overflows is CWE-190, and the assigned CWE may reflect how attacker-controlled values from the page flow into size or offset calculations that were assumed trusted. The CPE (cpe:2.3:a:google:chrome:*) covers all Chrome variants, and the overflow leads to cross-origin data leakage rather than direct memory corruption disclosure, suggesting the integer wrap causes out-of-bounds reads from buffers belonging to other origins rendered via GPU-accelerated content.
RemediationAI
Upgrade Google Chrome to version 148.0.7778.216 or later on the Stable channel per the vendor-released patch documented in the Chrome Releases blog (https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html) and tracked at https://issues.chromium.org/issues/505056913 and https://nvd.nist.gov/vuln/detail/CVE-2026-10019. For managed environments, push the update via enterprise policy (Chrome Browser Cloud Management or GPO) and verify by checking chrome://version. If patching must be delayed, compensating controls include disabling hardware acceleration via the '#disable-accelerated-2d-canvas' and related flags or the HardwareAccelerationModeEnabled enterprise policy to force software rendering (trade-off: degraded WebGL/canvas performance and broken behavior on graphics-heavy sites), and restricting browsing to trusted internal sites via web filtering until updates roll out. Ensure Chromium-derivative browsers (Edge, Brave, Opera) are also updated to versions that pull in the fixed ANGLE code.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33161
GHSA-q2hx-7c42-vrhr