Google has shipped a fix for a medium-severity security flaw in Chrome for Windows, tracked as CVE-2026-7340, as part of the stable channel update to version 147.0.7727.138 released on April 28, 2026. The vulnerability resides in ANGLE—the Almost Native Graphics Layer Engine—and could be triggered by a specially crafted HTML page capable of causing an integer overflow.

What is ANGLE and why it matters for Windows users

ANGLE is an open-source graphics engine abstraction layer developed by Google, primarily used within Chromium to translate WebGL and other OpenGL ES calls into the native graphics API of the host operating system. On Windows, this means converting calls to Direct3D, the native 3D graphics API used by the operating system and its drivers. ANGLE is not just a convenience library—it is a critical bridge that allows web applications to render complex 2D and 3D graphics seamlessly across platforms without developers needing to write platform-specific code.

For Windows users, ANGLE is deeply embedded in Chrome. Every WebGL-based game, 3D model viewer, or advanced visualization in the browser passes through ANGLE. It interacts directly with graphics drivers from NVIDIA, AMD, Intel, and Qualcomm, and by extension with the Windows kernel’s graphics subsystem. A flaw in this component can therefore have far-reaching consequences.

CVE-2026-7340: an integer overflow in the rendering path

The newly disclosed CVE-2026-7340 is described as an integer overflow in ANGLE. While the exact function or module where the overflow occurs has not yet been disclosed—Google typically restricts technical details until a majority of users have applied the patch—the nature of integer overflows in graphics processing is well understood. Such bugs occur when arithmetic operations on integer values produce a result that exceeds the maximum representable size, wrapping around to a small or unexpected value. This can lead to buffer under-allocation, out-of-bounds memory access, or other memory corruption scenarios.

In the context of ANGLE, an integer overflow could be triggered by providing maliciously crafted vertex data, texture dimensions, or shader parameters via a web page. A remote attacker could host a page that, when visited, causes Chrome to allocate insufficient memory for a graphics operation, subsequently overwriting adjacent memory. Depending on the precise nature of the overflow and the state of memory, this might allow an attacker to execute arbitrary code, crash the browser, or even attempt to escape Chrome’s sandbox if combined with additional exploits.

Severity and risk assessment

The CVE has been assigned a severity of “Medium” in the initial disclosure. This rating suggests that while the vulnerability is real and exploitable, the immediate risk of widespread compromise is mitigated by factors such as the level of user interaction required and the presence of Chrome’s multi-process architecture and sandbox. However, medium severity does not mean low impact. Integer overflows in graphics libraries have historically been used as part of exploit chains—for example, paired with a sandbox escape to gain full system access. On Windows, because ANGLE interfaces closely with kernel-mode graphics drivers, the risk of privilege escalation or driver compromise cannot be entirely dismissed.

Google reports that the flaw is specific to Chrome on Windows. Other platforms like macOS, Linux, or Android are not affected because ANGLE’s backend differs per OS; on macOS it uses Metal, on Linux Vulkan or OpenGL, and only on Windows does it rely on Direct3D in the typical configuration. This platform specificity underscores how a single component can expose divergent attack surfaces depending on the underlying operating system.

The patch in Chrome 147.0.7727.138

The fix was delivered in the stable channel update to Chrome 147.0.7727.138 for Windows. The update should be rolling out automatically over the coming days and weeks. Users can force an immediate update by navigating to the three-dot menu > Help > About Google Chrome, which will check for the latest version and download it if available. After updating, a full browser restart is required to apply the patch.

Enterprise administrators managing Chrome across Windows fleets should ensure that group policies or update management tools are configured to deploy this version promptly. Given that the details of the vulnerability are still under embargo, delaying updates exposes systems to potential future exploitation once proof-of-concept code is published or reverse-engineered.

Technical deep dive: how the integer overflow could have occurred

Although the exact root cause remains confidential, examining ANGLE’s typical operations offers clues. ANGLE converts OpenGL ES calls—for example, glDrawElements, glTexImage2D, or buffer data uploads—into Direct3D equivalents. During this process, it often performs size calculations for memory allocations or for validating buffer boundaries. If a web page submits unusually large or specially crafted values for dimensions like texture width, height, or element indices, and if ANGLE’s internal arithmetic does not properly guard against overflow, a too-small buffer could be allocated and then written past its end.

This class of bug is particularly dangerous in graphics contexts because the data being processed is often large and performance-sensitive, leading developers to use unsafe arithmetic optimizations. Past ANGLE vulnerabilities have included similar integer overflows (e.g., CVE-2020-16013, CVE-2019-13727), highlighting the ongoing challenge of securing complex graphics translation layers.

What users should do

  1. Update Chrome immediately. The single most effective mitigation is to ensure you are running version 147.0.7727.138 or higher. Check by pasting chrome://settings/help into the address bar. If the version shown is older, the browser will begin downloading the update automatically.
  2. Enable automatic updates. Under Chrome’s advanced settings, ensure that the updater service is running and allowed to connect to the internet. This guarantees timely installation of future security patches.
  3. Practice safe browsing. Until the patch has been broadly deployed, users should be cautious of visiting untrusted or unfamiliar websites, especially those that heavily utilize WebGL or 3D graphics. Attackers often embed exploit code in compromised advertisement networks or phishing pages.
  4. For organizations: consider deploying Chrome with additional security layers such as Microsoft Defender Application Guard, browser isolation technologies, or endpoint detection and response (EDR) solutions that can flag anomalous browser behavior.

Disclosure timeline and community reaction

Google has not yet published a detailed technical breakdown of CVE-2026-7340. According to its standard vulnerability disclosure policy, the company withholds specifics for up to 90 days or until the fix has reached a sufficient user base. Security researchers often collaborate to identify and report such bugs through Chrome’s Vulnerability Rewards Program (VRP), and credit is typically given in subsequent updates. At this stage, it is unclear whether this vulnerability was reported externally or discovered internally.

The absence of a public exploit or active exploitation indication suggests that the flaw was responsibly disclosed. Yet, as history shows, once a patch is reverse-engineered, exploit attempts often follow. This lag time is critical for users to update.

The broader picture: browser graphics security

Graphics layers in browsers have become a prime target for attackers. The complexity of GPU drivers and abstraction libraries like ANGLE provides a rich attack surface. On Windows, the closed-source nature of many GPU drivers adds opacity, making it harder for open-source projects like Chromium to fully audit the interaction paths. Google’s ongoing investment in projects like SwANGLE (ANGLE’s software renderer) and the push toward Vulkan backends aims to reduce reliance on individual driver implementations, but such transitions are gradual.

CVE-2026-7340 serves as a reminder that even medium-severity bugs in such components warrant urgent attention. The consistent hardening of Chrome’s sandbox and site isolation has pushed attackers toward exploiting weaker links in the chain—graphics stacks being one of them.

How to verify you are protected

Windows users can confirm they have the patched version by:

  • Opening Chrome.
  • Clicking the three-dot menu > Help > About Google Chrome.
  • Checking that the version number reads 147.0.7727.138 or higher.

Alternatively, enterprise administrators can query the registry or use centralized tools to audit installed Chrome versions across their network.

Final thoughts

While CVE-2026-7340 is classified as medium severity, its location in ANGLE and Windows-specific impact make it a significant patch. The rapid fix by Google demonstrates the effectiveness of its continuous integration and fast release cycle, but the burden is on users and organizations to apply updates without delay. As always, the best defense against browser-based attacks is a combination of timely patching and cautious online behavior.

Stay tuned to the Chrome Releases blog and the NVD entry for CVE-2026-7340 as more technical details become public. In the meantime, update today and keep your browser secure.