Google has released Chrome 150.0.7871.46, a targeted update that patches a high-severity vulnerability in the browser’s ANGLE graphics engine. The flaw, assigned CVE-2026-14400, could allow an attacker to escape Chrome’s tightly controlled sandbox simply by luring a victim to a specially crafted webpage. If you’re running any previous version of Chrome, you need to update right now.

Chrome’s security team rarely calls out a single fix in an otherwise routine stable-channel bump, but this time one issue demanded immediate attention. The release notes for 150.0.7871.46 flag only one security fix — and it’s a big one. An out-of-bounds write bug in ANGLE, the component that translates WebGL and other GPU-bound commands into native graphics APIs, has been sealed. Google’s severity rating of “High” only begins to tell the story.

A small bug that punches a hole in the fortress

CVE-2026-14400 is described as an out-of-bounds write in ANGLE. For anyone not steeped in memory-corruption jargon, that means an attacker can trick Chrome’s GPU process into writing data past the end of an allocated buffer. When exploited, it can corrupt adjacent memory, opening the door to code execution. And because the GPU process sits inside its own sandbox, a successful attack here doesn’t yet own the system. But it can escape that sandbox — and that changes everything.

ANGLE, short for Almost Native Graphics Layer Engine, is one of the least-visible but most critical pieces of modern Chrome (and any Chromium-based browser). When a web app uses WebGL for 3D rendering or even just accelerates 2D canvas, ANGLE steps in. It translates OpenGL ES calls into Direct3D on Windows, Vulkan on supported systems, or Metal on macOS, giving JavaScript near-native access to the GPU without exposing raw driver interfaces. That translation layer, however, is complex C++ code — and complexity is the enemy of security.

In this case, the out-of-bounds write likely lives in the shader-translation or buffer-mapping logic that ANGLE uses when preparing commands for the real GPU driver. A malicious page can construct a carefully distorted WebGL scene that — when processed — triggers the write past a buffer boundary. From there, an attacker can hijack the flow of execution inside the GPU process. Chrome’s sandbox heavily restricts what the GPU process can do (it can’t read your documents or start arbitrary processes directly), but the sandbox itself isn’t a magical force field; it’s a set of Windows job objects, restricted tokens, and SELinux policies. If the attacker can find a second bug — or use a technique to chain this with a kernel or IPC flaw — the sandbox escape can result in full system compromise.

What this means for you

Home users: patch, don’t wait

If you use Chrome on your personal Windows PC, Mac, or Linux machine, the calculus is simple. An actively exploited browser sandbox escape is the worst kind of drive-by download: you visit a page, and an attacker might gain a foothold on your machine without any further interaction. Chrome’s automatic update mechanism downloads new versions in the background, but it doesn’t always restart the browser right away. The small “Update” badge in the top-right corner often sits ignored for days or weeks. This time, don’t wait.

The fix is available immediately on the stable channel. If you want to check manually, click the three-dot menu, go to Help > About Google Chrome, and let it detect version 150.0.7871.46. Relaunch the browser when prompted. If your version number is anything lower, you are vulnerable.

IT administrators: mass deployment is urgent

For those managing fleets, this is a get-it-done-today update. Chrome 150.0.7871.46 is the new baseline for all managed installations. If you use Chrome Browser Cloud Management or Microsoft Intune, push the update to your endpoint groups immediately. Group Policy administrators can enforce the update by checking the Google Update policies. Remember that some users may have Chrome installations that are not managed by central IT (home machines used for work, for instance); urge them to update personally.

A sandbox escape is especially dangerous in corporate environments where browsers often hold active sessions to SaaS tools, internal portals, and cloud consoles. A compromise that jumps the sandbox can steal credentials from active sessions, install persistent malware, or move laterally into the network. Don’t wait for your usual phased rollout — roll it out now.

Developers working with WebGL

Web developers who build graphics-intensive applications — 3D configurators, data visualizations, games — should test their content against the patched version immediately. Google has not disclosed the exact nature of the out-of-bounds write, but it’s possible the patch changes ANGLE’s handling of certain edge cases in buffer sizes or shader parameters. While the fix is purely a security hardening measure and shouldn’t break well-behaved WebGL code, any app that was unknowingly relying on undefined behavior might see a change in output. A quick regression test on canary or dev channels before stable release would have been ideal, but now that the fix is in stable, the only path is to test and deploy.

How we got here

Chrome’s multi-process architecture is famously its first line of defense. Since 2008, the browser has kept the renderer (which parses HTML, CSS, and JavaScript) in a tightly confined sandbox. GPU operations were later pulled out into their own process, also sandboxed, to prevent graphics drivers — notoriously buggy — from taking down the whole browser. ANGLE became the gatekeeper: web content never talks to a graphics driver directly; ANGLE sanitizes and translates every call. This design has made Chrome one of the hardest targets on the desktop.

But nothing is unbreakable. CVE-2026-14400 is not the first high-severity bug in ANGLE, and it won’t be the last. The GPU process, by its nature, has to talk to kernel-mode driver components, and that interface is messy. A bug in ANGLE that lets an attacker write out of bounds is essentially a mismatch between the memory layout ANGLE expects and what a malformed input can force. Google’s security team likely found this bug through internal fuzzing or a bug bounty report. The fact that the stable-channel update contains only this fix suggests an urgent, targeted patch — the kind Google ships when it believes in-the-wild exploitation is either underway or imminent.

Google typically doesn’t publish full technical details until the majority of the user base has been patched. Expect a more detailed root-cause analysis on the Chromium bugs portal in the coming weeks.

What to do now

  1. Update Chrome now. The simplest way is to open chrome://settings/help. If you see a version starting with 150.0.7871.46, you’re safe. If you see an older number, click “Check for updates” and restart the browser.
  2. Verify your Chromium-based browsers. Microsoft Edge, Brave, Vivaldi, Opera, and others share the same codebase. While each vendor ships updates independently, they will almost certainly address CVE-2026-14400 in their next builds. Check their respective update channels and apply patches as they become available. Edge, in particular, can be updated via Windows Update or the browser’s About page.
  3. Enterprise admins: deploy immediately. Use your mobile device management (MDM) or software distribution system to push Chrome 150.0.7871.46. Microsoft Intune, SCCM, or Google’s admin console all allow forcing browser updates.
  4. Educate your users. If you support family or colleagues, tell them to click the “Update” button when the browser prompts or to restart Chrome. Power users can enable “Restart” in chrome://flags to force the browser to restart itself after an update, reducing the window of vulnerability.
  5. Monitor for unusual activity. While the patch is being rolled out, keep an eye on system logs for unexpected processes, odd outbound network connections, or credential prompts. A sandbox escape often leaves forensic traces on disk or in the registry.

What to watch next

Google’s Chrome release cycle moves fast. The next stable release will almost certainly bundle additional security fixes, and any zero-day exploitation of CVE-2026-14400 will push the company to publish an advisory with indicators of compromise. In the meantime, the industry will watch Chromium-based browsers closely to see how quickly they integrate this patch. For users, the message remains simple: Chrome 150.0.7871.46 is not optional. Update today.