Chrome sandbox escape via heap overflow (CVE-2026-6296)

Patch now - CVE-2026-6296 is a critical heap buffer overflow in Google Chrome’s ANGLE graphics engine (versions before 147.0.7727.101) that grants remote attackers sandbox escape, enabling arbitrary code execution on the victim’s system with no user credentials required.

Overview

A critical heap buffer overflow vulnerability, identified as CVE-2026-6296, has been patched in Google Chrome. The flaw resides in the ANGLE graphics engine layer, a core component responsible for translating OpenGL ES calls. This vulnerability could allow an attacker to break out of Chrome’s security sandbox, a foundational defense that confines web page code.

Vulnerability Details

The vulnerability is triggered when Chrome processes a specially crafted HTML page. A heap buffer overflow occurs within the ANGLE component, corrupting memory in a way an attacker could control. While user interaction, such as visiting a malicious website, is required, no other privileges are needed. The attack complexity is low, making exploitation more feasible.

The primary risk is a sandbox escape. Chrome’s sandbox is designed to prevent code from a webpage from accessing the underlying operating system. By escaping this boundary, an attacker could potentially execute arbitrary code on the victim’s machine with the privileges of the Chrome process, leading to full system compromise.

Impact and Severity

This vulnerability is rated Critical by Chromium with a CVSS score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Its critical nature stems from the combination of high impact-allowing system-level code execution-and the low barriers to attack: it can be exploited over a network with no user credentials. While not currently listed on CISA’s Known Exploited Vulnerabilities catalog, the severity warrants urgent attention.

Remediation and Mitigation

The only complete remediation is to update Google Chrome. All users and administrators must ensure their browsers are updated to version 147.0.7727.101 or later.

Action Steps:

1. Update Chrome: Open Chrome, click the three-dot menu (⋮) > Help > About Google Chrome. The browser will check for and apply the update. A restart is required.
2. Enterprise Deployment: Administrators should push the updated package (147.0.7727.101) to all managed endpoints using their preferred deployment tools.
3. Verify Version: Confirm the browser reports “Version 147.0.7727.101 (Official Build)” in the About page.

As a temporary mitigation, exercise caution with unsolicited links and ensure other system and endpoint security controls are active. However, patching is the definitive solution.

Security Insight

This vulnerability highlights the persistent targeting of browser rendering and graphics components, which are complex and performance-critical, making them a fertile ground for memory corruption flaws. Similar to past Chrome zero-days that targeted components like Skia and V8, as seen when Google Fixes Two Chrome Zero-Days Exploited in the Wild, flaws in these subsystems often provide the high-impact primitives needed for sandbox escapes, underscoring why they remain a priority for both attackers and defenders.

Update - May 2026

Patch Status: Google has confirmed all Chrome channels are updated to 147.0.7727.101+. No additional patches or follow-up advisories have been issued for CVE-2026-6296 since publication. All users should verify they are running Chrome 147.0.7727.101 or later.

Exploitation & Telemetry: No confirmed incidents of in-the-wild exploitation have been reported publicly as of this update. EPSS score has increased marginally from 0.00027 (7th percentile) to 0.0003 (8th percentile), indicating low but slightly elevated opportunistic attack probability. The vulnerability is not listed on CISA KEV as of May 11; continued monitoring is warranted given its sandbox-escape potential.

Related CVEs: No new ANGLE-specific CVEs have been published since April 15. However, defenders should note that CVE-2026-6296 follows the same heap-buffer-overflow pattern as CVE-2026-6104 (ANGLE, March 2026) and CVE-2026-5938 (ANGLE, February 2026), suggesting a recurring weakness in the WebGL-to-ANGLE translation layer.

Actions for Defenders:

• Confirm Chrome/Chromium is at minimum version 147.0.7727.101 on all endpoints.
• Enable Chrome’s built-in “ANGLE” graphics backend logging for forensic baselining.
• Monitor for user-reported crashes or unexpected graphics rendering in WebGL tabs.
• If this CVE is added to CISA KEV, expedite patching within 24 hours due to sandbox-escape severity.

Further Reading

• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• Google Fixes Two Chrome Zero-Days Exploited in the Wild
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs