Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.
Technical ContextAI
Skia is Chrome's 2D graphics rendering engine responsible for drawing web page elements, canvas operations, and UI components. The CWE-416 use-after-free occurs when code attempts to access memory after it has been freed, typically due to incorrect object lifetime management or race conditions during asynchronous operations. In Skia's context, this often involves graphics object destruction while references remain active during rendering operations. The CVSS scope change (S:C) reflects the vulnerability's ability to escape Chrome's multi-process sandbox architecture, where renderer processes normally operate with restricted privileges isolated from the underlying operating system. The 'High' Chromium security severity reflects the sandbox escape capability, as renderer compromise alone is typically rated lower without the privilege escalation component.
RemediationAI
Update Google Chrome to version 148.0.7778.96 or later immediately via the built-in auto-update mechanism (Settings → About Chrome) or by downloading from https://www.google.com/chrome/. The vendor-released patch is confirmed available per the stable channel update announcement at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html. Chrome typically auto-updates within 24-48 hours of release, but manual update verification is recommended for enterprise environments. For organizations unable to patch immediately, compensating controls include: restricting Chrome usage to trusted sites only via enterprise policy URL allowlists (ChromeEnterpriseAllowlist), though this significantly limits browser functionality and user productivity; deploying browser isolation solutions that render untrusted content in remote containers, adding another sandbox layer but introducing latency and infrastructure costs; or temporarily switching to alternative browsers until patching is complete, which may disrupt workflows dependent on Chrome-specific features or extensions. None of these workarounds provide complete protection since the vulnerability exists in the installed Chrome binary.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27943