CVE-2026-14382

CRITICAL

Google Chrome - Improper Input Validation

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-14382. PoCs published by jaf0rk.

AI-analyzed exploit summary This PoC demonstrates a memory corruption vulnerability in ANGLE's OpenGL ES implementation (CVE-2026-14382) by exploiting improper state management of Transform Feedback objects. The exploit triggers a use-after-free condition when a paused Transform Feedback buffer is redefined, leading to a controllable crash in 32-bit environments.

Description

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Exploits (1)

github WORKING POC
by jaf0rk · cpoc
https://github.com/jaf0rk/CVE-2026-14382

This PoC demonstrates a memory corruption vulnerability in ANGLE's OpenGL ES implementation (CVE-2026-14382) by exploiting improper state management of Transform Feedback objects. The exploit triggers a use-after-free condition when a paused Transform Feedback buffer is redefined, leading to a controllable crash in 32-bit environments.

Classification
Working Poc 98%
Attack Type
Other
Complexity
Moderate
Reliability
Racy
Target: ANGLE (Almost Native Graphics Layer Engine), specifically OpenGL ES 3.0 implementations
No auth needed
Prerequisites: Access to a vulnerable OpenGL ES 3.0 environment (e.g., Android device with Mali GPU) · Ability to execute native code on the target system
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →

Scores

CVSS v3 9.6
EPSS 0.0028
EPSS Percentile 19.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (2)
google/chrome < 150.0.7871.46
Google/Chrome 150.0.7871.46
Published Jul 01, 2026
Tracked Since Jul 02, 2026