CVE-2026-6296

Google · Chrome

A heap buffer overflow in the ANGLE component of Google Chrome enables remote attackers to achieve sandbox escape via a specially crafted HTML page.

Executive summary

A critical heap buffer overflow in Google Chrome allows remote attackers to bypass the browser sandbox, potentially leading to full system compromise.

Vulnerability

This is a heap buffer overflow vulnerability in the ANGLE graphics engine, which can be triggered by an unauthenticated remote attacker through malicious web content to escape the browser sandbox.

Business impact

With a CVSS score of 9.6, this vulnerability is extremely severe. Successful exploitation allows an attacker to break out of the browser's security sandbox, potentially resulting in unauthorized access to the underlying operating system, data theft, or complete system takeover.

Remediation

Immediate Action: Update all Google Chrome instances to version 147.0.7727.101 or later immediately.

Proactive Monitoring: Monitor endpoint detection systems for unusual browser process behavior or unexpected crashes during web navigation.

Compensating Controls: Utilize endpoint protection platforms (EPP) to detect and block malicious web-based payloads and ensure browser security policies are strictly enforced.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Browser-based sandbox escapes are high-value targets for attackers. Given the critical severity and the nature of the flaw, all organizations must prioritize the rapid deployment of the latest Chrome update to all managed endpoints to mitigate the risk of remote code execution and system compromise.