Skip to main content

Google Chrome CVE-2026-9984

| EUVDEUVD-2026-33126 HIGH
Use After Free (CWE-416)
2026-05-28 Chrome GHSA-rv3r-pw4j-7p7r
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.8
Analysis Generated
May 29, 2026 - 12:33 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
8.8 (HIGH)
CVE Published
May 28, 2026 - 22:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Remote code execution in Google Chrome for Windows versions prior to 148.0.7778.216 stems from a use-after-free condition in the UI component, allowing remote attackers to execute arbitrary code by luring a user to a crafted HTML page. Chromium rated the issue High severity and CVSS 8.8 reflects the network-reachable, low-complexity nature of the bug, tempered only by required user interaction (visiting the malicious page). No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Technical ContextAI

The flaw is a CWE-416 Use-After-Free in Chrome's UI subsystem on Windows, a class of memory-corruption bug where code continues to reference heap memory after it has been freed, enabling attackers to reclaim that memory with attacker-controlled data and hijack control flow. Chrome's multi-process architecture and sandbox normally contain renderer-side bugs, but UI-layer UAFs frequently sit in the browser process or are reachable in ways that increase impact, which aligns with the High severity rating from Chromium. The CPE cpe:2.3:a:google:chrome confirms the affected product is the Chrome desktop browser, with the EUVD record narrowing the affected build to anything prior to 148.0.7778.216 on Windows as stated in the description.

RemediationAI

Vendor-released patch: Google Chrome 148.0.7778.216 on Windows - update to this version or later via the Chrome Stable Channel as announced at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html, and verify via chrome://settings/help that Chrome has restarted to apply the fix, since pending updates do not take effect until relaunch. In managed environments, push the update through Chrome Enterprise / Group Policy and force a browser relaunch, and audit for endpoints that have suppressed auto-update. Until patching completes, compensating controls include restricting browsing to known-good sites via web proxy or DNS filtering, enabling Chrome's Site Isolation and Enhanced Safe Browsing (already default in modern Chrome), and steering high-risk users to an alternate browser for untrusted content; these reduce exposure but break general-purpose web use and should be lifted once Chrome 148.0.7778.216 is deployed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-9984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy