Description
Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a use‑after‑free flaw in the WebRTC component of Google Chrome for Windows. It allows an attacker to craft an HTML page that triggers the flaw and enables execution of arbitrary code inside Chrome’s sandbox.

Affected Systems

Google Chrome running on Windows machines with a version earlier than 148.0.7778.96.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, though no EPSS score is published. The attack requires an attacker to provide a malicious HTML page that a user opens in Chrome; exploitation then executes inside the browser’s sandbox. The vulnerability is not listed in the CISA KEV catalog. Based on the version requirement, updating to Chrome‑148.0.7778.96 or later is expected to address the issue. Because exploitation can occur from remote web content, any user who opens such a page is at risk.

Generated by OpenCVE AI on May 7, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.96 or later, which is expected to include the WebRTC fix.
  • If upgrading cannot be performed immediately, disable WebRTC through chrome://flags or by installing an extension that blocks the feature to prevent exploitation.
  • Stay informed of future Chrome security updates by monitoring the Chromium release blog and subscription notifications for critical patches.

Generated by OpenCVE AI on May 7, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Thu, 07 May 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use After Free in WebRTC Enables Remote Code Execution via Crafted HTML Page

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use After Free in WebRTC Enables Remote Code Execution via Crafted HTML Page

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:28.823Z

Reserved: 2026-05-05T22:59:11.655Z

Link: CVE-2026-7928

cve-icon Vulnrichment

Updated: 2026-05-06T20:09:48.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:41.140

Modified: 2026-05-06T23:37:10.013

Link: CVE-2026-7928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:15:17Z

Weaknesses