CVE-2026-5868 Overview
CVE-2026-5868 is a heap buffer overflow vulnerability in ANGLE, the graphics translation layer used by Google Chrome on macOS. The flaw affects Chrome versions prior to 147.0.7727.55 and is classified under CWE-122: Heap-based Buffer Overflow. A remote attacker can exploit the vulnerability by serving a crafted HTML page. Successful exploitation enables arbitrary code execution within the Chrome renderer sandbox. Google rated the Chromium security severity as High.
Critical Impact
Remote attackers can achieve arbitrary code execution inside the Chrome renderer sandbox by tricking a user into visiting a malicious web page.
Affected Products
- Google Chrome on macOS prior to 147.0.7727.55
- Apple macOS (host platform for affected Chrome builds)
- ANGLE graphics translation layer within Chromium
Discovery Timeline
- 2026-04-08 - CVE-2026-5868 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5868
Vulnerability Analysis
The vulnerability resides in ANGLE (Almost Native Graphics Layer Engine), the component that translates WebGL and OpenGL ES API calls into the platform-native graphics API. On macOS, ANGLE bridges these calls to Metal or OpenGL. Improper bounds handling during processing of graphics state or buffer data leads to a heap-based out-of-bounds write. An attacker who controls the HTML and WebGL content rendered by the browser can manipulate heap allocations and corrupt adjacent memory. The corruption is sufficient to redirect control flow and execute attacker-supplied code inside the sandboxed renderer process.
Root Cause
The root cause is missing or incorrect length validation when ANGLE writes data into a heap-allocated buffer. The condition matches CWE-122, where a write extends past the allocated boundary. Crafted WebGL inputs trigger an allocation smaller than the data subsequently written, producing the overflow.
Attack Vector
Exploitation is remote and requires user interaction. The victim must load a page controlled by the attacker, for example through phishing, malvertising, or a compromised site. No authentication is required. Once the page executes the malicious WebGL workload, the renderer process is compromised. Code execution remains confined to the renderer sandbox; chaining with a sandbox escape would be required for full system compromise.
No public proof-of-concept is available, and the vulnerability is not listed in the CISA KEV catalog. See the Chromium Issue Tracker Entry for technical details.
Detection Methods for CVE-2026-5868
Indicators of Compromise
- Chrome renderer process crashes on macOS hosts with stack traces referencing ANGLE or graphics buffer functions.
- Unexpected child processes spawned from Google Chrome Helper (Renderer).
- Outbound network connections from renderer processes to unfamiliar domains following visits to untrusted pages.
Detection Strategies
- Inventory installed Chrome versions across macOS endpoints and flag any build below 147.0.7727.55.
- Correlate browser crash telemetry with web navigation history to identify pages triggering renderer failures.
- Monitor for anomalous process behavior originating from Chrome helper processes, including file writes and network egress.
Monitoring Recommendations
- Forward Chrome crash dumps and macOS ReportCrash logs to a central analytics platform for ANGLE-related signatures.
- Track DNS and HTTP telemetry for visits to newly registered or low-reputation domains preceding renderer crashes.
- Alert on Chrome processes attempting to load unsigned dynamic libraries or modify user data directories.
How to Mitigate CVE-2026-5868
Immediate Actions Required
- Update Google Chrome on all macOS endpoints to version 147.0.7727.55 or later.
- Enforce automatic Chrome updates through MDM policy to prevent version drift.
- Restrict use of unmanaged browsers on corporate macOS devices until patching completes.
Patch Information
Google released the fix in the Chrome Stable channel update for desktop. Apply build 147.0.7727.55 or later on macOS. Full release notes are available in the Google Chrome Update Blog.
Workarounds
- Disable hardware-accelerated WebGL through enterprise policy HardwareAccelerationModeEnabled set to false until patches are deployed.
- Block access to untrusted websites at the proxy or DNS layer to reduce exposure to crafted HTML pages.
- Apply site isolation and strict sandbox flags via Chrome enterprise policies to limit renderer compromise.
# Verify Chrome version on macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Force update check via command line
open -a "Google Chrome" --args --check-for-update-interval=1
# Example MDM managed preference to disable WebGL hardware acceleration
defaults write com.google.Chrome HardwareAccelerationModeEnabled -bool false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
