Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in Fullscreen in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.
Technical ContextAI
This is a use-after-free (CWE-416) memory corruption vulnerability in Chrome's Fullscreen API implementation on Windows. Use-after-free occurs when code continues to use a memory pointer after the memory has been freed, allowing attackers to manipulate program execution by controlling the freed memory's contents. The vulnerability exists specifically in the fullscreen handling code path on Windows builds of Chrome (CPE: cpe:2.3:a:google:chrome). Chrome's multi-process architecture employs sandbox isolation to contain compromised renderer processes, but this vulnerability allows escape from that critical security boundary. The Changed scope (S:C) in the CVSS vector confirms the sandbox escape capability, as the vulnerability impacts resources beyond the vulnerable component's security scope.
RemediationAI
Update Google Chrome for Windows to version 148.0.7778.96 or later immediately. Chrome typically auto-updates within 24-48 hours, but administrators should force updates via chrome://settings/help or enterprise policies for managed deployments. Google's stable channel update announcement at http://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html contains official patch information. Technical details in Chromium issue tracker at https://issues.chromium.org/issues/498752242 may be access-restricted until patch deployment is widespread. If immediate patching is impossible, compensating controls include: disable fullscreen API via enterprise policy ExtensionInstallForcelist to block fullscreen requests (impacts user experience for legitimate fullscreen content like videos); deploy Chrome in application virtualization or sandbox solutions like Windows Defender Application Guard to add additional containment layers (performance overhead 15-30%); restrict Chrome usage to low-privilege user accounts on Windows to limit post-exploitation impact (does not prevent sandbox escape but limits lateral movement). These mitigations significantly degrade user experience and should only be temporary measures.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27937