Description
Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s Chromoting component on Linux allows a remote attacker to gain arbitrary code execution by sending crafted network traffic to the browser. The vulnerability is rated critical and can compromise a system with little user interaction. The flaw stems from improperly freed memory being re‑used during network parsing, resulting in uncontrolled code execution.

Affected Systems

Affected systems are users of Google Chrome on Linux with version numbers earlier than 148.0.7778.96. This includes all stable channel releases before the listed patch. The flaw resides in the browser’s remote desktop capability.

Risk and Exploitability

The vulnerability permits remote code execution with a network‑based attack vector, inferred from the description that malicious traffic triggers the flaw. The CVSS score of 8.8 confirms a critical severity, and the EPSS score is not available; the issue is not listed in CISA KEV. Exploitation requires network reachability to the Chrome process and the presence of the vulnerable Chromoting feature. No publicly known exploits are reported, but the high severity coupled with the remote nature warrants immediate attention.

Generated by OpenCVE AI on May 7, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later.
  • Disable the Chromoting feature via Chrome policy or remove the remote desktop extension.
  • Block or restrict RDP/remote desktop traffic on your network firewall for machines that do not require the feature.

Generated by OpenCVE AI on May 7, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Chromoting Enables Remote Code Execution

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Chromoting Enables Remote Code Execution

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:01.611Z

Reserved: 2026-05-05T22:59:03.686Z

Link: CVE-2026-7898

cve-icon Vulnrichment

Updated: 2026-05-06T20:20:42.385Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:38.100

Modified: 2026-05-06T23:43:09.530

Link: CVE-2026-7898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses