Description
Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-06
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability exists in Google Chrome’s PresentationAPI that allows an attacker to execute arbitrary code inside a sandbox by serving a specially crafted HTML page. The flaw enables remote code execution within the browser’s sandboxed environment.

Affected Systems

Google Chrome versions prior to 148.0.7778.96 are vulnerable. The security advisory recommends applying the latest stable channel update, which includes version 148.0.7778.96 or later.

Risk and Exploitability

Chromium security severity is high and the CVSS score is 8.8, indicating strong exploitation potential. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this issue by hosting a malicious webpage that triggers the use‑after‑free, gaining sandboxed code execution. While the escape is limited to the sandbox, it can serve as a foothold for further compromise.

Generated by OpenCVE AI on May 7, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later.
  • Ensure Chrome’s auto‑update feature is enabled to receive timely security patches.
  • If an update is not immediately possible, block or disable the PresentationAPI feature via Chrome policy or flag, if available.

Generated by OpenCVE AI on May 7, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome PresentationAPI Use‑After‑Free Allowing Remote Code Execution

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Chrome PresentationAPI Use‑After‑Free Allowing Remote Code Execution

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:25.474Z

Reserved: 2026-05-05T22:59:11.155Z

Link: CVE-2026-7926

cve-icon Vulnrichment

Updated: 2026-05-06T20:11:58.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:40.940

Modified: 2026-05-06T23:37:41.080

Link: CVE-2026-7926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses