{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0908", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-01-13T18:20:18.587Z", "datePublished": "2026-01-20T04:14:17.767Z", "dateUpdated": "2026-02-26T14:44:44.939Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "144.0.7559.59", "status": "affected", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:17.767Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/452209503"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0908", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-21T04:55:18.350972Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:44.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0908", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-21T04:55:18.350972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T13:41:43.207Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "144.0.7559.59", "lessThan": "144.0.7559.59", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"url": "https://issues.chromium.org/issues/452209503"}], "descriptions": [{"lang": "en", "value": "Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "Use after free"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-20T04:14:17.767Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0908", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:44.939Z", "dateReserved": "2026-01-13T18:20:18.587Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-01-20T04:14:17.767Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "7322229C-61DF-4A91-9816-F7796F9AABCD", "versionEndExcluding": "144.0.7559.59", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "258B923C-054B-4411-9E82-36C89A6BE4C4", "versionEndExcluding": "144.0.7559.60", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-0908", "lastModified": "2026-01-29T20:27:56.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-20T05:16:16.327", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/452209503"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Use after free in ANGLE", "id": "2431128", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431128"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-0908", "public_date": "2026-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0908\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0908\nhttps://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html\nhttps://issues.chromium.org/issues/452209503"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T04:48:28.992056+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version\u202f144.0.7559.59 or later to eliminate the use\u2011after\u2011free issue.", "Enable automatic updates for Chrome so that future security patches are applied without manual intervention.", "If immediate upgrade is not possible, temporarily disable hardware acceleration in Chrome (chrome://flags/#disable-gpu) to reduce ANGLE usage until the patch can be installed."], "summary": {"action": "Immediate Upgrade", "impact": "Remote Heap Corruption via Use After Free"}, "threat_synthesis": {"affected_systems": "Google Chrome versions earlier than 144.0.7559.59 are affected on macOS, Windows, and Linux platforms where ANGLE is used, regardless of operating system.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free flaw in the ANGLE component used by Google Chrome; a malicious web page can trigger heap corruption that may lead to arbitrary code execution or a denial\u2011of\u2011service within the browser process, and it is identified as CWE\u2011416.", "risk_and_exploitability": "With a CVSS score of 8.8 the flaw is high severity, yet the EPSS score is below 1\u202f% and it is not present in the CISA KEV catalog, indicating a currently low exploitation probability. The remote attack vector relies on a crafted HTML page, which could be delivered via phishing or compromised sites, and successful exploitation would bypass sandboxing and allow arbitrary code execution, raising the risk for active users until the browser is updated."}}}}, "created": "2026-01-20T08:39:59.655960+00:00", "updated": "2026-04-18T05:00:06.026091+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}