Use after free in ANGLE in Google Chrome on Windows prior to 149

CVE-2026-10914 is a use-after-free in ANGLE affecting Google Chrome on Windows before 149.0.7827.53. In plain English: a malicious page can corrupt memory in graphics-handling code and potentially get attacker-controlled code running inside Chrome's sandboxed process, not directly as the user on the underlying OS. The patch line landed in Chrome 149 stable on June 2, 2026, while the CVE/public metadata appears to have surfaced on June 4, 2026.

Google's HIGH/8.8 label is technically defensible for a memory-corruption bug in a massively deployed browser, but it overstates the enterprise patch urgency when assessed as a standalone bug. The decisive friction is that the stated impact is sandboxed code execution on a client browser, which usually means the attacker still needs a second bug for sandbox escape, token theft beyond the browser boundary, or meaningful host compromise; add user interaction, Windows-only scope, no KEV entry, and an EPSS of 0.0008, and this drops out of urgent-fire territory into solid MEDIUM.

Why this verdict

• Sandboxed code exec cuts the blast radius: vendor 8.8 starts from memory corruption in a major browser, but the stated impact is execution inside a sandbox, not unrestricted code execution on the endpoint. That is a meaningful downward adjustment from host-takeover territory.
• User interaction narrows reach: the attacker needs a user to hit a malicious page on vulnerable Windows Chrome. Web filtering, Safe Browsing, mail protections, and ordinary user behavior reduce the exploitable population compared with unauthenticated server-side bugs.
• Threat telemetry is cold: no KEV listing, no public exploitation evidence found, and EPSS 0.0008 all argue against treating this as an emergency patch event despite the scary vulnerability class.

Why not higher?

It is not higher because the public description stops at sandboxed execution. For browser bugs, the line between 'serious' and 'drop everything' is usually whether the attacker gets out of the sandbox or whether there is confirmed active exploitation; neither is present here from the available evidence.

Why not lower?

It is not lower because this is still memory corruption in a ubiquitous browser, delivered over normal browsing with no authentication and potentially exploitable by a malicious page. If you run a large Windows fleet, even sandboxed browser code execution deserves disciplined version compliance, because it can be paired with other bugs or used for browser-scoped data theft.

1. Enforce browser auto-update — Make sure managed Windows endpoints cannot drift below 149.0.7827.53. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but in practice browser drift should be cleaned up far sooner because update enforcement is cheap and high leverage.
2. Reduce untrusted web execution paths — Use enterprise policy, web filtering, ad blocking, and Safe Browsing controls to lower the odds of users reaching exploit delivery pages. There is no mitigation SLA for MEDIUM here, so apply this as a risk-reduction measure where patch latency or kiosk exceptions exist while staying inside the 365-day remediation window.
3. Watch for crash and exploit telemetry — Tune EDR and browser telemetry for unusual Chrome renderer/GPU crashes, exploit mitigation events, and suspicious child-process or follow-on activity. That will not prove this CVE specifically, but it is the most practical detection layer if a browser memory-corruption chain is attempted during the remediation window.
4. Isolate exception systems — For VDI images, kiosks, lab systems, or pinned application stacks that cannot move immediately, tighten egress and browsing scope to approved destinations only. Again, no mitigation SLA applies at MEDIUM, but exception populations should still be documented and remediated within the 365-day patch window.

Run this on the target Windows endpoint or through your endpoint management shell. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-chrome-cve-2026-10914.ps1; standard user rights are usually enough because it only reads file version and uninstall metadata.

# check-chrome-cve-2026-10914.ps1

# Purpose: Detect whether Google Chrome on Windows is vulnerable to CVE-2026-10914

# Logic: Vulnerable if installed Chrome version is less than 149.0.7827.53

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-VersionObject {
    param([string]$VersionString)
    try {
        return [version]$VersionString
    } catch {
        return $null
    }
}

function Get-ChromeVersion {
    $paths = @(
        "$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
        "$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe",
        "$env:LocalAppData\Google\Chrome\Application\chrome.exe"
    )

    foreach ($p in $paths) {
        if (Test-Path $p) {
            try {
                $fv = (Get-Item $p).VersionInfo.ProductVersion
                if ($fv) {
                    return [pscustomobject]@{ Path = $p; Version = $fv; Source = 'Executable' }
                }
            } catch {}
        }
    }

    $regPaths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($rp in $regPaths) {
        try {
            $apps = Get-ItemProperty $rp -ErrorAction SilentlyContinue |
                Where-Object { $_.DisplayName -match '^Google Chrome$' -and $_.DisplayVersion }
            foreach ($app in $apps) {
                return [pscustomobject]@{ Path = 'Registry'; Version = $app.DisplayVersion; Source = 'UninstallKey' }
            }
        } catch {}
    }

    return $null
}

$fixedVersion = Get-VersionObject '149.0.7827.53'
$found = Get-ChromeVersion

if (-not $found) {
    Write-Output 'UNKNOWN - Google Chrome not found on this host or version could not be determined.'
    exit 2
}

$currentVersion = Get-VersionObject $found.Version
if (-not $currentVersion) {
    Write-Output ("UNKNOWN - Found Chrome via {0}, but version '{1}' could not be parsed." -f $found.Source, $found.Version)
    exit 2
}

if ($currentVersion -lt $fixedVersion) {
    Write-Output ("VULNERABLE - Google Chrome version {0} detected via {1}; fixed version is {2}." -f $currentVersion, $found.Source, $fixedVersion)
    exit 1
} else {
    Write-Output ("PATCHED - Google Chrome version {0} detected via {1}; meets or exceeds fixed version {2}." -f $currentVersion, $found.Source, $fixedVersion)
    exit 0
}

Sources

1. Chrome Releases - June 2026 stable desktop update
2. Chromium issue 497574371
3. Chromium severity guidelines
4. Chrome sandbox diagnostics for Windows
5. Chromium memory safety overview
6. CISA Known Exploited Vulnerabilities catalog
7. FIRST EPSS API documentation
8. Chromium security release management