Description
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the Views component of Google Chrome allows an attacker to execute arbitrary code in the browser process. The vulnerability is triggered when a malicious Chrome Extension, installed by the user, causes the freed memory to be accessed again. This flaw, identified as CWE‑416, can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Google Chrome browsers running any version earlier than 148.0.7778.96 are affected. The issue is present on all operating systems supported by Chrome, as no platform‑specific version restrictions are listed.

Risk and Exploitability

Chromium rates this vulnerability as medium severity. EPSS data is not available and the flaw is not listed in the CISA KEV catalog. The attack requires a user to install a malicious or compromised extension, so the vector is primarily social engineering or compromised extension downloads. Successful exploitation would give code execution capabilities within the browser’s process context.

Generated by OpenCVE AI on May 6, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.96 or later to apply the patched Views component.
  • Remove or disable all extensions that were added from non‑trusted sources or after the vulnerability was disclosed.
  • For enterprise deployments enforce extension whitelisting and block unapproved extensions using Chrome Browser Cloud Management or equivalent policy tools.

Generated by OpenCVE AI on May 6, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Chrome Views Use‑After‑Free Exploitable via Malicious Extensions

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:52:30.754Z

Reserved: 2026-05-05T22:59:25.192Z

Link: CVE-2026-7976

cve-icon Vulnrichment

Updated: 2026-05-06T19:17:16.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:48.477

Modified: 2026-05-06T23:26:18.053

Link: CVE-2026-7976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses