Description
Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-06
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome contains a use‑after‑free vulnerability in its password handling component (CWE‑416) that allows a remote attacker to execute arbitrary code by delivering a crafted HTML page to a user. The flaw exists in all Chrome releases prior to 148.0.7778.96 and can be triggered when the page is rendered in the browser, enabling the attacker to run code with the same privileges as the browser process, potentially compromising confidentiality, integrity, and availability of the victim system.

Affected Systems

The vulnerability affects Google Chrome versions released before 148.0.7778.96 on all supported platforms, including Windows, macOS, and various Linux distributions. Users who have not upgraded to the patched release remain exposed regardless of operating system.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high risk. Attackers can exploit the vulnerability by publishing a malicious web page that the victim opens, which leads to arbitrary code execution. The EPSS table does not list an exploit probability, and the vulnerability is not included in the CISA KEV catalog, but the absence of these marks does not reduce the inherent risk posed by a remote code execution flaw.

Generated by OpenCVE AI on May 7, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.96 or newer.
  • Disable the Chrome password manager or clear stored passwords until the update is applied.
  • Configure Chrome to automatically install security updates.

Generated by OpenCVE AI on May 7, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 02:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Passwords Enabling Remote Code Execution

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Passwords Enabling Remote Code Execution

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:33.229Z

Reserved: 2026-05-05T22:59:09.796Z

Link: CVE-2026-7921

cve-icon Vulnrichment

Updated: 2026-05-06T20:16:41.517Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:40.377

Modified: 2026-05-06T23:38:24.027

Link: CVE-2026-7921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:45:18Z

Weaknesses