Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the Gamepad component. The flaw is rated High by Chromium and carries a CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), but EPSS is only 0.03% (11th percentile) and no public exploit identified at time of analysis. The bug is a second-stage primitive in a multi-stage exploit chain rather than a standalone RCE.
Technical ContextAI
The vulnerability is in Chrome's Gamepad subsystem, which exposes the W3C Gamepad API to web content via an IPC interface between the sandboxed renderer process and a more privileged browser-process component on macOS. CWE-457 (Use of Uninitialized Variable) indicates that a memory region - likely a struct, buffer, or pointer field handled in the Gamepad code path - is read before being assigned, yielding either stack/heap residue (potential info leak) or a controllable value that can be coerced into a type confusion or arbitrary read/write primitive across the renderer/browser trust boundary. The affected CPE is cpe:2.3:a:google:chrome and the issue is macOS-specific, suggesting the uninitialized state lives in platform-specific Gamepad backend code (likely the IOKit/HID bridge) rather than the cross-platform layer.
RemediationAI
Vendor-released patch: Google Chrome 148.0.7778.216 for macOS - upgrade to this or a later stable-channel build via the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html. In managed-fleet environments, push the update through MDM (Jamf, Intune, Kandji) and force-relaunch Chrome to ensure the new binary is active, since the patch is dormant until restart. If patch deployment must be delayed, a targeted compensating control is to disable the Gamepad API via enterprise policy or by setting the chrome://flags/#enable-gamepad related runtime features off where supported, or by blocking the Permissions-Policy gamepad=() at an enterprise proxy that injects response headers; the trade-off is that any legitimate browser-based game, WebXR, or accessibility input use case will break. Network-level mitigation is not effective here because exploitation requires only a visit to attacker-controlled HTML, so URL filtering would have to be near-total to help.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33114
GHSA-p4c3-gfp9-4r8q