Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium)
AnalysisAI
Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.
Technical ContextAI
V8 is Google's open-source JavaScript and WebAssembly engine used in Chrome and Chromium browsers. This vulnerability is a use-after-free condition (CWE-416), a class of memory corruption bug where code continues to use a memory pointer after the referenced object has been deallocated. In V8's context, this typically occurs during JavaScript execution when garbage collection prematurely frees objects still referenced by running code. The malicious extension context is critical: Chrome's extension APIs provide elevated privileges to interact with browser internals and V8 engine components. While code execution occurs within Chrome's sandbox architecture (limiting system-level access), the attacker gains arbitrary code execution within the renderer process, potentially enabling sandbox escape when chained with other vulnerabilities. The CPE string cpe:2.3:a:google:chrome identifies all Google Chrome browser installations on any platform prior to the fixed version.
RemediationAI
Vendor-released patch: Chrome 148.0.7778.96, available via Google's May 2026 stable channel update at chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html. Users should update immediately through Chrome's built-in updater (Settings → About Chrome) or enterprise deployment tools. For organizations unable to patch immediately, implement compensating controls: restrict extension installation via enterprise policy ExtensionInstallBlocklist to block all extensions except approved allowlist, mitigating the attack vector entirely but impacting user productivity if extensions are workflow-critical; disable Developer Mode via DeveloperToolsAvailability policy to prevent sideloading of unpacked extensions, though this doesn't prevent Web Store-distributed malicious extensions; deploy Chrome Enterprise with ExtensionInstallSources policy limiting installations to corporate-controlled stores only. Monitor Chrome extension installation logs via chrome://policy and endpoint detection tools. Note these controls require Chrome Enterprise licensing and may disrupt legitimate extension-dependent workflows. No workaround eliminates vulnerability in affected V8 code itself.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27983