Description
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the Views component of Google Chrome allows an attacker to run arbitrary code within the browser process. The defect is triggered when a malicious Chrome Extension, installed by the user, accesses memory that has already been freed, enabling code execution.

Affected Systems

Any Chrome browser version earlier than 148.0.7778.96 is vulnerable. The issue applies to all operating systems supported by Chrome, including Windows, macOS, and Linux, because no platform‑specific restrictions are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high technical risk, while the EPSS score is < 1% (approximately 0.00018) and the vulnerability does not appear in CISA’s KEV catalog. Exploitation requires a user to install a malicious or compromised extension, meaning the attack vector is primarily social engineering or compromised download channels. Successful exploitation would grant the attacker code execution capabilities in the context of the Chrome browser process.

Generated by OpenCVE AI on May 9, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.96 or later to apply the patched Views component.
  • Remove or disable all extensions that were added from non‑trusted sources or after the vulnerability was disclosed.
  • For enterprise deployments enforce extension whitelisting and block unapproved extensions using Chrome Browser Cloud Management or equivalent policy tools.

Generated by OpenCVE AI on May 9, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Views
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 07 May 2026 03:00:00 +0000

Type Values Removed Values Added
Title Chrome Views Use‑After‑Free Exploitable via Malicious Extensions

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Chrome Views Use‑After‑Free Exploitable via Malicious Extensions

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:10.296Z

Reserved: 2026-05-05T22:59:25.192Z

Link: CVE-2026-7976

cve-icon Vulnrichment

Updated: 2026-05-06T19:17:16.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:48.477

Modified: 2026-05-06T23:26:18.053

Link: CVE-2026-7976

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-7976 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:45:03Z

Weaknesses