CVE-2026-5277
Published: 01 April 2026
Summary
CVE-2026-5277 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through updating Google Chrome to version 146.0.7680.178 or later directly eliminates the integer overflow vulnerability in the ANGLE component.
Memory protection mechanisms such as DEP, ASLR, and stack canaries directly mitigate out-of-bounds memory writes resulting from the integer overflow in the compromised renderer process.
Information input validation on HTML content processed by the ANGLE graphics library helps prevent integer overflows triggered by crafted WebGL inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in Chrome renderer (ANGLE) enables OOB write via crafted HTML page, directly facilitating exploitation for client execution to achieve code execution in the renderer process.
NVD Description
Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-5277 is an integer overflow vulnerability (CWE-472) in the ANGLE graphics component within Google Chrome on Windows versions prior to 146.0.7680.178. The flaw enables an out-of-bounds memory write when processing a crafted HTML page. Chromium security severity is rated as High, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting network accessibility, high attack complexity, no privileges required, user interaction needed, unchanged scope, and high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by a remote attacker who has already compromised the renderer process in Google Chrome. Exploitation occurs via a malicious HTML page, allowing the attacker to perform an out-of-bounds memory write, potentially leading to further code execution or system compromise within the renderer sandbox.
Mitigation is addressed in the stable channel update for Google Chrome desktop, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html. Users should update to version 146.0.7680.178 or later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/489791424.
Details
- CWE(s)