Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Technical ContextAI
ANGLE (Almost Native Graphics Layer Engine) is Google's abstraction layer for OpenGL ES on Windows, providing graphics rendering capabilities for Chrome. The integer overflow occurs in ANGLE's memory management during graphics operations, violating size calculations that lead to CWE-472 (Integer Overflow to Buffer Overflow). When an integer overflows, subsequent buffer allocation and write operations access memory beyond intended boundaries. The vulnerability is specific to Windows implementations of ANGLE and requires a malicious HTML page to trigger the overflow through crafted graphics commands. The CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* indicates all Chrome versions prior to 146.0.7680.178 are affected across all platforms where this code path is active.
RemediationAI
Upgrade Google Chrome to version 146.0.7680.178 or later on Windows systems. The patch is vendor-released and addresses the integer overflow in ANGLE. Users should enable automatic updates to receive the fix immediately; manual update can be performed by navigating to Chrome Menu > Help > About Google Chrome, which will download and install the latest version with automatic restart on next browser restart. No workarounds are available for users unable to patch immediately, as the vulnerability requires renderer compromise before exploitation-maintaining strong browser security practices (avoiding untrusted extensions, disabling insecure downloads, and keeping the OS patched) indirectly reduces renderer compromise likelihood. Refer to https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html for official advisory details.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 120.0.6099.224-1~deb11u1 | - |
| bookworm | vulnerable | 143.0.7499.169-1~deb12u1 | - |
| bookworm (security) | vulnerable | 146.0.7680.164-1~deb12u1 | - |
| trixie | vulnerable | 145.0.7632.159-1~deb13u1 | - |
| trixie (security) | vulnerable | 146.0.7680.164-1~deb13u1 | - |
| forky | vulnerable | 146.0.7680.153-1 | - |
| sid | fixed | 146.0.7680.177-1 | - |
| bullseye | fixed | (unfixed) | end-of-life |
| (unstable) | fixed | 146.0.7680.177-1 | - |
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17787