Windows News
{
"title": "CVE-2026-7943 ANGLE Read/Write Bug: Chrome and Edge Patch Guidance for Windows",
"content": "Google and Microsoft rushed out patches for a potentially devastating vulnerability in the ANGLE graphics abstraction layer, a core component of Chromium-based browsers including Chrome and Edge. The flaw, catalogued as CVE-2026-7943, enables an attacker who already controls a compromised renderer process to read or write arbitrary data in the browser’s memory, bypassing security boundaries and possibly executing malicious code on the host Windows machine.
The fix landed in early May 2026 with the release of Chrome 148.0.7778.96. Microsoft followed swiftly, delivering the updated Edge browser to Windows users through Windows Update and the browser’s built-in update channel. Security researchers and IT administrators are calling this a “patch-now” situation due to the severity and the relative ease of chaining the bug with other exploits.
Understanding the ANGLE Attack Surface
ANGLE (Almost Native Graphics Layer Engine) operates within the GPU process of Chromium, which is sandboxed but has a larger attack surface than the renderer because it must communicate with the operating system’s graphics drivers. When a web page uses WebGL, the renderer process compiles shaders and dispatches commands to the GPU process, which then translates those commands via ANGLE into Direct3D calls on Windows.
A flaw in ANGLE’s parsing of shader binaries or vertex attributes can cause the GPU process to read or write memory at an attacker-controlled offset. This class of bug—often an integer overflow, buffer underflow, or missing bounds check on array indices—can be triggered remotely and exploited to corrupt critical data structures.
CVE-2026-7943 appears to be just such a flaw. The Chromium advisory states the bug is in the “validation” stage, meaning ANGLE failed to properly check the limits of a supplied input before using it as an index or size parameter. This is a classic memory-safety violation.
Attack Scenario: From Renderer to System
Modern browsers isolate the renderer process in a restrictive sandbox. The renderer cannot directly access the file system, network, or child-process creation APIs. To escape, an attacker must chain a renderer bug with a sandbox-escape bug often located in the browser’s broker process or in a more-privileged process like the GPU process.
CVE-2026-7943 gives an attacker in the renderer a means to corrupt the GPU process’s memory. Because the GPU process runs with additional privileges to interface with the kernel-mode graphics driver, a successful exploit can potentially:
- Leak sensitive data from the GPU process heap, including WebGL shader output that may contain pixel data from other tabs or the desktop (if hardware acceleration is on).
- Overwrite function pointers to gain code execution within the GPU process.
- Use the GPU process’s access to launch a direct attack on the graphics driver, escalating to kernel mode.
Affected Browsers and Platforms
The primary browsers affected are Chrome and Edge, but any Chromium-based browser that uses the vulnerable ANGLE library is at risk. This includes Brave, Vivaldi, Opera, and numerous others. On Windows, the vulnerability is particularly dangerous because it can interact with the operating system’s graphics drivers and escalate privileges.
Firefox and Safari are not affected because they do not use ANGLE; Firefox uses its own WebRender and MéTAL systems, while Safari uses Apple’s native graphics stacks.
Versions fixed:
- Google Chrome: 148.0.7778.96 or later (Stable channel). The update was rolled out over two days starting May 4, 2026.
- Microsoft Edge: Version 148.0.7778.99 or later, released via Windows Update and Microsoft’s release server on May 5–6, 2026. Edge also received the fix as part of the extended-stable channel for enterprise.
- Other Chromium browsers: Maintainers typically integrate Chromium security patches within 24–72 hours. Users should confirm their browser incorporates the Chromium 148.0.7778.96 security baseline.
How to Update Chrome on Windows
Updating Chrome is straightforward:
- Open Chrome.
- Click the three-dot menu in the top-right corner.
- Navigate to Help > About Google Chrome.
- Chrome will automatically check for updates and install version 148.0.7778.96 or later.
- Click Relaunch to complete the process.
How to Update Microsoft Edge on Windows
On most consumer Windows PCs, Edge updates silently through Windows Update. To verify or force an update:
- Open Edge.
- Click the three-dot menu > Help and feedback > About Microsoft Edge.
- Edge will download and install any pending updates.
- Restart the browser when prompted.
- Windows Update for Business: The patch is delivered via the “Security Updates” classification.
- Windows Server Update Services (WSUS): Admins can import the Edge update as a separate package.
- Microsoft Update Catalog: Standalone .msi and .exe installers are available for offline deployment.
Why This Vulnerability Matters for Windows Users
Windows remains the most targeted desktop platform for browser-based attacks, and ANGLE’s reliance on system graphics drivers adds an additional layer of risk. A bug that allows arbitrary read/write in the GPU process can often be weaponized to achieve kernel-level access if the graphics driver itself contains exploitable flaws. Security researchers have demonstrated chained attacks where an ANGLE bug provides the initial information leak, leading to a complete system compromise.
Moreover, CVE-2026-7943 was discovered by an external researcher who reported it responsibly to Google’s Project Zero. However, the timeline from fix to public disclosure was shortened because some details may have leaked through public Chromium commits. This means that exploit weaponization could happen quickly, making prompt patching critical.
Historical Context: ANGLE Bugs Are Not New
This is not the first time ANGLE has harbored dangerous security flaws. In 2021, CVE-2021-30551 was an out-of-bounds write in ANGLE that allowed sandbox escape. In 2023, another heap buffer overflow (CVE-2023-2615) let a remote attacker cause memory corruption. Each incident triggered a flurry of Chrome and Edge updates. The persistence of these bugs underlines the difficulty of securing complex graphics translation layers that must interact with a multitude of driver versions and hardware.
Enterprise Patching Best Practices
Large organizations running Windows should treat this as a high-priority update and follow these steps:
- Inventory: Identify all systems running Chrome or Edge. Use endpoint management tools like Microsoft Intune, SCCM, or BigFix to query browser versions.
- Deploy patches: For Chrome, push the latest enterprise MSI via Group Policy or software distribution. For Edge, approve the update in WSUS or deploy the MSI from the Update Catalog.
- Force browser restarts: Users often leave browsers open for days. Set a deadline in your deployment tool to restart the browser after, say, 8 hours.
- Monitor for compliance: Use tools like Microsoft Defender for Endpoint or third-party vulnerability scanners to confirm all browsers are updated.
- Disable ANGLE as a temporary mitigation? Some previous ANGLE bugs could be mitigated by launching Chrome with the command-line flag
--disable-angle-features=trueor--disable-gpu, but this breaks hardware acceleration and web apps. Microsoft and Google have not recommended such workarounds for CVE-2026-7943; patching is the only safe course.
Verifying the Patch
After updating, you can verify the version by navigating to chrome://version or edge://version. Look for “148.0.7778.96” or higher for Chrome, and “148.0.7778.99” for Edge. The variation in the last component is normal; Edge sometimes adds minor