Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Heap corruption in Google Chrome on macOS prior to version 148.0.7778.216 can be triggered remotely through a crafted HTML page combined with specific user interface gestures, leveraging a use-after-free condition in the WebAppInstalls component. Chrome rates this as High severity and has shipped a patched stable channel release, though no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.
Technical ContextAI
The flaw resides in WebAppInstalls, the Chromium subsystem responsible for handling Progressive Web App (PWA) installation flows on macOS. The root cause is CWE-416 (Use After Free), in which an object is freed while a dangling pointer still references it; subsequent dereference can corrupt the heap and, with careful grooming, redirect control flow inside the renderer or browser process. CPE data confirms the affected product as cpe:2.3:a:google:chrome (Mac builds specifically per the description), and the Chromium issue tracker entry 513128608 corresponds to the upstream fix landed for the 148.0.7778.216 stable channel update.
RemediationAI
Vendor-released patch: Google Chrome 148.0.7778.216 for macOS - upgrade immediately via the Chrome stable channel update referenced at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html, and confirm enterprise fleets via MDM or Chrome Browser Cloud Management. Until patched hosts are rolled out, compensating controls include using Chrome Enterprise policy WebAppInstallForceList / DefaultWebAppInstallSetting to restrict or disable PWA installation flows (trade-off: users lose the ability to install web apps), and SiteIsolationEnabled plus strict download/UI-warning training to reduce the likelihood that a user completes the required gesture on an untrusted site. Tracking metadata is available at the Chromium issue https://issues.chromium.org/issues/513128608.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33132
GHSA-w739-54jw-wcmf