Description
Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an integer overflow in the WTF component of Google Chrome. A remote attacker can supply a crafted HTML page that triggers the overflow, leading to execution of arbitrary code inside a sandboxed process. The flaw is classified as CWE-190 and CWE-472 and carries a Chromium severity of high, indicating serious potential damage if exploited.

Affected Systems

The flaw affects Google Chrome versions prior to 148.0.7778.216. All desktop builds that have not yet upgraded to this release are vulnerable. No other browsers or products are impacted by this specific issue.

Risk and Exploitability

The exploit requires only that the target user open a malicious HTML page, which can be delivered via a compromised website or phishing. Because the flaw is in a component accessed by any web page, the attack vector is remote over the network and no local privileges are needed. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the high Chromium severity suggests a serious risk. The CVSS score is 8.8, indicating high severity.

Generated by OpenCVE AI on May 29, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.216 or newer.
  • Configure Chrome policies to enforce automatic updates and prevent use of older browsers.
  • For mobile or other platforms, install the latest browser version that includes the fix.

Generated by OpenCVE AI on May 29, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome's WTF Component Enabling Remote Code Execution chromium-browser: Integer overflow in WTF
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome's WTF Component Enabling Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-30T03:55:54.344Z

Reserved: 2026-05-28T17:25:14.667Z

Link: CVE-2026-10015

cve-icon Vulnrichment

Updated: 2026-05-29T10:48:55.703Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T23:16:43.333

Modified: 2026-05-29T12:16:25.593

Link: CVE-2026-10015

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-10015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T13:45:45Z

Weaknesses