Severity by source
Sources disagree (Low–High)AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Remote code execution in Google Chrome on macOS versions prior to 148.0.7778.96 enables attackers to execute arbitrary code within the browser's sandbox through a malicious HTML page exploiting a use-after-free vulnerability in the Audio subsystem. The vulnerability requires user interaction (visiting a crafted webpage) but no authentication, with CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability. Google has released patches in Chrome 148.0.7778.96; no active exploitation (KEV) or public POC has been identified at time of analysis, though the technical details are publicly accessible via Chromium issue tracker 495779613.
Technical ContextAI
This is a use-after-free (CWE-416) memory corruption vulnerability in Chrome's Audio subsystem, specific to the macOS implementation. Use-after-free occurs when code attempts to access memory that has already been deallocated, allowing attackers to manipulate freed memory objects to redirect program execution flow. The vulnerability affects cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* prior to version 148.0.7778.96 on macOS platforms. Chrome's sandbox architecture is designed to contain exploits within restricted processes, limiting access to system resources even after successful code execution. This particular flaw exists in audio processing code paths that handle media elements in web content, making it triggerable through crafted HTML pages containing specific audio manipulation sequences. The platform-specific nature (macOS only) suggests the vulnerable code resides in platform-dependent audio backend implementations rather than cross-platform WebAudio API layers.
RemediationAI
Update Google Chrome on macOS to version 148.0.7778.96 or later immediately, as released in Google's May 2026 stable channel update (https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html). Chrome's auto-update mechanism typically deploys this automatically; verify version in chrome://settings/help. For enterprise environments using managed Chrome deployments, push version 148.0.7778.96 through administrative update policies. No workarounds fully mitigate the risk, but temporary compensating controls include: disabling JavaScript for untrusted sites via content settings (chrome://settings/content/javascript), which prevents execution of crafted HTML audio manipulation code but severely impacts web functionality; implementing browser isolation solutions that render untrusted content in disposable virtual environments; or restricting users to curated allow-lists of trusted domains until patching completes. These workarounds carry significant usability penalties and should only be considered for air-gapped or update-restricted systems during the patching window.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28107