Description
Use after free in Aura in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-06
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free in the Aura user‑interface layer of Google Chrome allows a remote attacker who has compromised the renderer process to potentially escape the renderer sandbox through a crafted HTML page. The flaw permits the attacker to access memory that should be protected, which can be leveraged to execute arbitrary code on the host system. The weakness is classified as CWE‑416 (Use After Free).

Affected Systems

All Google Chrome browsers older than version 148.0.7778.96 on any supported platform are affected. The issue is present in every build that predates this patch release.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.3, indicating high severity, and is not currently listed in the CISA KEV catalog. Since the exploit requires prior compromise of the renderer process and a user opening a maliciously crafted page, the attack surface is limited but the potential impact is severe. EPSS data is unavailable, so the precise likelihood is uncertain; however, given the high severity and the nature of the flaw, organizations should treat the risk as significant.

Generated by OpenCVE AI on May 6, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.96 or newer on all affected machines
  • If an upgrade cannot be performed immediately, restrict or block the loading of untrusted HTML content that might trigger the renderer; consider disabling problematic extensions that may serve malicious content
  • Continuously monitor the browser for anomalous renderer activity and ensure that users are educated about avoiding suspicious web pages

Generated by OpenCVE AI on May 6, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Aura in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:48.131Z

Reserved: 2026-05-05T22:59:09.292Z

Link: CVE-2026-7919

cve-icon Vulnrichment

Updated: 2026-05-06T20:43:19.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:40.173

Modified: 2026-05-06T23:38:42.463

Link: CVE-2026-7919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:45:06Z

Weaknesses