A critical use-after-free vulnerability in Google’s ANGLE graphics library, tracked as CVE-2026-7901, landed in the National Vulnerability Database on May 6, 2026 with a high-severity rating. The bug allows a remote attacker to craft a malicious web page that triggers memory corruption—potentially leading to arbitrary code execution on a victim’s machine. While the initial advisory flags Chrome for macOS before version 148.0.7778.96, the shared Chromium codebase means every browser that relies on ANGLE—including Microsoft Edge and a host of third-party browsers on Windows—likely inherits the same dangerous flaw.

The timeline is tight. Google’s Chrome team shipped the fix in a stable-channel update, but if you’re using Edge, Brave, Opera, Vivaldi, or any other Chromium derivative, you need to verify that you’re running a patched build immediately. Here’s what the vulnerability actually does, why it’s so dangerous on Windows, and exactly what you should do to lock things down.

What is ANGLE, and why does it matter?

ANGLE stands for Almost Native Graphics Layer Engine. It’s an open-source compatibility shim that translates WebGL and OpenGL ES calls into the native graphics API of the underlying operating system. On Windows, that means Direct3D; on macOS and iOS, Metal; and on Linux or Android, Vulkan or OpenGL. Because web developers lean heavily on WebGL for interactive 3D content, browser engines need a reliable way to render that content securely across platforms—and ANGLE is the component that makes it happen.

Chromium adopted ANGLE back in 2011 as a practical fix for buggy OpenGL drivers on Windows. Today it’s deeply embedded: every Chromium-based browser ships with ANGLE, and every time a site throws up a 3D graph, a mapping tool, or a visual effect, ANGLE is parsing those GPU instructions. If an attacker can corrupt ANGLE’s memory, they can potentially break out of the browser’s sandbox and execute arbitrary code with the privileges of the logged-in user.

Inside CVE-2026-7901: a classic use-after-free

Use-after-free (UAF) is one of the most exploited bug classes in browser engines. When a program frees a block of memory but later tries to read or write to that same address, an attacker can carefully shape the heap so that the freed slot gets reallocated with attacker-controlled data. The end result: the browser’s logic pointer can be hijacked to redirect execution flow, bypass memory protections, or leak sensitive information.

According to the initial Chromium security advisory, CVE-2026-7901 resides in a specific ANGLE code path that handles certain WebGL texture operations. Exploitation requires a user to visit a malicious website that contains a specially crafted WebGL payload. No further interaction is needed—just loading the page is enough to trigger the corruption. The advisory marks the vulnerability as “High” severity, a classification reserved for bugs that could lead to remote code execution, sandbox escape, or information disclosure under realistic attack scenarios.

The specific commit that fixed the bug reveals that the issue stemmed from an error in how ANGLE tracked the lifetime of a GPU buffer object. Under rare conditions, a buffer could be freed while a pending draw command still held a reference, resulting in a dangling pointer. Attackers who can control the timing of GPU commands can turn that dangling pointer into a reliable exploitation primitive.

The macOS label doesn’t mean Windows is safe

Google’s bulletin mentions “Chrome for macOS before 148.0.7778.96,” which has led some to assume the vulnerability is exclusive to Apple hardware. That’s a dangerous misinterpretation. The macOS notation indicates only the platform where the bug was confirmed and reproduced during internal testing. ANGLE’s Metal backend on macOS is distinct from the Direct3D 11/12 backend on Windows, but a significant portion of ANGLE’s code—including the buffer-management module at the heart of this CVE—is shared across all backends.

In other words, the faulty code path very likely exists in the Windows builds too. Chromium security issues are almost never OS-specific unless they involve OS-level IPC or operating-system calls. A memory-management defect in a core library like ANGLE almost always affects every platform that ships that library. Until Microsoft or the Chromium project explicitly states that Windows is unaffected, the safest assumption is that Edge on Windows is just as vulnerable as Chrome on macOS.

Furthermore, Edge uses the same ANGLE library version as the Chromium release it tracks. When Google released Chrome 148.0.7778.96, they pushed the fix to the upstream Chromium repository. Microsoft’s Edge engineering team typically integrates upstream security patches within 24 to 48 hours. If you haven’t restarted Edge in a while, you might still be running an exposed build.

Real-world impact: drive-by attacks and supply-chain risks

Successful exploitation of CVE-2026-7901 allows an attacker to run arbitrary code inside the browser process. In the worst case—if combined with a sandbox escape—the attacker gains full user-level access to the Windows machine: reading documents, installing malware, exfiltrating credentials, or pivoting onto the corporate network.

Drive-by attacks are the most likely delivery method. An innocuous-looking website hosting a malicious WebGL advertisement or an injected script could compromise every visitor who hasn’t applied the update. With the popularity of WebGL-powered content—animations, product configurators, browser games—there’s no shortage of legitimate sites that could be co-opted.

Enterprise environments face an elevated risk. Many organizations deploy Edge as the default browser across thousands of endpoints, and deploying updates often lags behind consumer devices due to change-control windows. A zero-day exploit (or a rapidly weaponized N-day) aimed at this vulnerability could become a conduit for ransomware operators looking to move laterally from a single compromised workstation.

How to check if you’re patched

For Google Chrome users on any platform, navigate to chrome://settings/help. Chrome will automatically check for updates and display the version number. If the version is 148.0.7778.96 or higher, you’re protected. Chrome typically downloads updates silently, but you must restart the browser to apply them. Look for the colored update indicator in the toolbar—green for a fresh update, orange for a pending restart.

For Microsoft Edge users, open edge://settings/help. Edge will run its own update check. The Edge version number is independent of Chrome’s, but the security patch will be noted in the release notes for Edge’s Stable channel. At the time this article went to press, the equivalent Edge build that contains the ANGLE fix is expected to be Edge 148.0.7778.92 or later. Microsoft usually publishes CVE details in its Security Update Guide, so search for “CVE-2026-7901” at msrc.microsoft.com to get the official advisory.

For other Chromium-based browsers (Brave, Opera, Vivaldi, Samsung Internet on Android, etc.), check the browser’s About section. If the Chromium engine version is 148.0.7778.96 or newer, you’re good. Many of these browsers use Chromium’s auto-update mechanism, but some enterprise or portable variants may require manual intervention.

Immediate steps for Windows users

  1. Restart your browser now. Most modern browsers will not complete an update until you quit and relaunch them. If you have tabs you can’t lose, bookmark them first.
  2. Enable automatic updates. In Edge, this is controlled through Windows Update for the browser’s built-in updater; ensure “Automatically download updates over metered connections” is set appropriately if you’re on a limited data plan.
  3. Verify the patch. After restarting, go to the Help page and confirm the version number. If it’s still out of date, download the latest offline installer from Google or Microsoft.
  4. Scan for indicators of compromise. While the bug requires a specific WebGL payload, any unexpected crashes or weird graphical glitches in the days before the patch could be signs of probing. Consider running a full system scan with Windows Defender or your endpoint protection platform.
  5. Implement browser isolation for high-risk users. If you manage enterprise endpoints, consider forcing Edge into Application Guard mode or using a remote browser isolation solution until you can confirm that all clients are updated.

Microsoft’s response and Edge’s update cadence

Microsoft has a strong track record of shipping Chromium security fixes within days of upstream disclosure. For high-severity bugs like CVE-2026-7901, the Edge team often accelerates the update to the Stable channel, sometimes pushing a same-day emergency release. Keep an eye on the Microsoft Edge release notes page (aka.ms/EdgeReleaseNotes) and the Microsoft Security Response Center (@MsftSecIntel on X/Twitter) for confirmation.

If you’re running Edge on an older Windows version that is out of support (Windows 7, Windows 8, or Windows 8.1), you’ll need to upgrade to Windows 10 or 11 to receive the latest browser updates. Chromium-based browsers will eventually stop supporting these operating systems, leaving them permanently exposed.

What is Remote Code Execution in WebGL attacks?

Understanding the attack chain helps you appreciate why this bug is so dangerous. When you visit a webpage, the JavaScript engine hands WebGL commands to ANGLE. ANGLE compiles them into GPU shaders and buffer operations that get dispatched to the graphics driver. In a use-after-free scenario, an attacker can create a shader that races the buffer deallocation—first freeing a GPU memory block, then immediately crafting a draw call that references the same memory. If the freed slot has been reallocated to contain, say, a pointer to a vtable, the browser’s control flow can be redirected.

Because the attack operates at the GPU-interface level, traditional browser security mechanisms like Same-Origin Policy or Content Security Policy offer little protection. The payload executes within the trusted browser process itself. Modern browser sandboxing (Chrome’s sandbox on Windows, Edge’s built-in protections) can limit the blast radius by isolating the GPU process, but sandbox escapes—often discovered in tandem with such bugs—are what turn a crash into full-blown system compromise.

The broader Chromium ecosystem remains on notice

It’s not just Chrome and Edge. Electron applications (VS Code, Slack, Discord, Teams) embed Chromium and render WebGL content—though most Electron apps disable web integration that could reach external sites. Still, if an Electron app loads untrusted content, it inherits the same risk. Users should ensure their Electron-based tools are updated promptly.

Similarly, mobile browsers that share the Chromium engine may be vulnerable on Android if they haven’t applied the May 2026 security patch. Android’s default WebView is updated through Google Play System Updates, so check that your WebView version is current.

The bottom line: patch before attackers weaponize

The window between disclosure and active exploitation is shrinking every year. In 2025, the average time to observed in-the-wild attacks after a Chromium CVE disclosure dropped to just three days. CVE-2026-7901 was disclosed on a Monday, and by Wednesday proof-of-concept code often circulates among security researchers. It’s only a matter of time before real campaigns begin.

So, take five minutes: restart your browser, verify the version, and tell your colleagues to do the same. A quick restart now is far less painful than a full incident response later.

For ongoing coverage of Windows-related security threats and Chromium updates, bookmark our Security Alerts section and follow windowsnews.ai on your favorite social platform.