Description
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-06
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the Views layer of Google Chrome. It allows an attacker who has already compromised the renderer process to execute code that bypasses Chrome’s site isolation safeguards. This capability can be abused to access data from other sites or to tamper with cross‑origin page content, effectively breaking the isolation that protects distinct web origins. The weakness is classified as CWE‑416.

Affected Systems

The flaw exists in Google Chrome versions prior to 148.0.7778.96. Users running those builds are affected regardless of operating system or architecture. The vulnerability can be triggered by loading a specially crafted HTML page into a compromised renderer instance.

Risk and Exploitability

The CVE is rated as High by Chromium’s own severity analysis. No EPSS score is available, and it is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. However, the attack requires that the renderer process have already been compromised, which could occur through zero‑day exploitation of another Chrome weakness or via malicious extensions with high privileges. If that foothold is achieved, the crafted HTML can be delivered remotely and the isolation bypass performed with low additional cost.

Generated by OpenCVE AI on May 6, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later, ensuring the renderer’s internal memory handling is fixed.
  • Configure Chrome’s policies to enforce site isolation and prevent renderer process compromise, such as restricting extensions and disabling unused renderer features.
  • Verify that no untrusted or malicious extensions are installed and remove any that have elevated privileges.

Generated by OpenCVE AI on May 6, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Views Enables Bypass of Site Isolation
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T18:12:29.911Z

Reserved: 2026-05-05T22:59:06.948Z

Link: CVE-2026-7910

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:39.287

Modified: 2026-05-07T14:43:14.907

Link: CVE-2026-7910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:00:05Z

Weaknesses