Skip to main content

Google Chrome CVE-2026-9990

| EUVDEUVD-2026-33132 HIGH
Use After Free (CWE-416)
2026-05-28 Chrome GHSA-w739-54jw-wcmf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.5
Analysis Generated
May 29, 2026 - 19:24 vuln.today
CVSS changed
May 29, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
May 28, 2026 - 22:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Heap corruption in Google Chrome on macOS prior to version 148.0.7778.216 can be triggered remotely through a crafted HTML page combined with specific user interface gestures, leveraging a use-after-free condition in the WebAppInstalls component. Chrome rates this as High severity and has shipped a patched stable channel release, though no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.

Technical ContextAI

The flaw resides in WebAppInstalls, the Chromium subsystem responsible for handling Progressive Web App (PWA) installation flows on macOS. The root cause is CWE-416 (Use After Free), in which an object is freed while a dangling pointer still references it; subsequent dereference can corrupt the heap and, with careful grooming, redirect control flow inside the renderer or browser process. CPE data confirms the affected product as cpe:2.3:a:google:chrome (Mac builds specifically per the description), and the Chromium issue tracker entry 513128608 corresponds to the upstream fix landed for the 148.0.7778.216 stable channel update.

RemediationAI

Vendor-released patch: Google Chrome 148.0.7778.216 for macOS - upgrade immediately via the Chrome stable channel update referenced at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html, and confirm enterprise fleets via MDM or Chrome Browser Cloud Management. Until patched hosts are rolled out, compensating controls include using Chrome Enterprise policy WebAppInstallForceList / DefaultWebAppInstallSetting to restrict or disable PWA installation flows (trade-off: users lose the ability to install web apps), and SiteIsolationEnabled plus strict download/UI-warning training to reduce the likelihood that a user completes the required gesture on an untrusted site. Tracking metadata is available at the Chromium issue https://issues.chromium.org/issues/513128608.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-9990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy