Cyber Resilience

CVE-2026-5277

High

Published: 01 April 2026

Published
01 April 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 20.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5277 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5277 is an integer overflow vulnerability (CWE-472) in the ANGLE graphics component within Google Chrome on Windows versions prior to 146.0.7680.178. The flaw enables an out-of-bounds memory write when processing a crafted HTML page. Chromium security severity is rated as High, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting network accessibility, high attack complexity, no privileges required, user interaction needed, unchanged scope, and high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by a remote attacker who has already compromised the renderer process in Google Chrome. Exploitation occurs via a malicious HTML page, allowing the attacker to perform an out-of-bounds memory write, potentially leading to further code execution or system compromise within the renderer sandbox.

Mitigation is addressed in the stable channel update for Google Chrome desktop, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html. Users should update to version 146.0.7680.178 or later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/489791424.

EU & UK References

Vulnerability details

Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Integer overflow in Chrome renderer (ANGLE) enables OOB write via crafted HTML page, directly facilitating exploitation for client execution to achieve code execution in the renderer process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5274Same product: Apple Macos
CVE-2026-5910Same product: Apple Macos
CVE-2026-5912Same product: Apple Macos
CVE-2026-5908Same product: Apple Macos
CVE-2026-7896Same product: Apple Macos
CVE-2026-9968Same product: Apple Macos
CVE-2026-5859Same product: Apple Macos
CVE-2025-10891Same product: Apple Macos
CVE-2026-5909Same product: Apple Macos
CVE-2026-5915Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.177

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through updating Google Chrome to version 146.0.7680.178 or later directly eliminates the integer overflow vulnerability in the ANGLE component.

prevent

Memory protection mechanisms such as DEP, ASLR, and stack canaries directly mitigate out-of-bounds memory writes resulting from the integer overflow in the compromised renderer process.

prevent

Information input validation on HTML content processed by the ANGLE graphics library helps prevent integer overflows triggered by crafted WebGL inputs.

References