CVE-2026-7988 - Vulnerability Details

- Type Confusion in WebRTC Allows Remote Code Execution in Google Chrome

Description

Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Published: 2026-05-06

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability results from a type confusion bug in the WebRTC component of Google Chrome versions prior to 148.0.7778.96. A crafted HTML page can cause the browser to interpret data as an unintended type, enabling arbitrary code execution within the browser sandbox. The flaw is classified as CWE‑843 and allows a remote attacker to run malicious code inside the sandboxed process, potentially providing a foothold for further exploitation beyond the sandbox boundaries. Although officially rated Medium severity, the ability to bypass sandbox protections makes the impact significant.

Affected Systems

All installations of Google Chrome below version 148.0.7778.96 are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no widely‑known, active exploitation has been reported yet. However, the flaw is remotely exploitable by presenting a malicious HTML page to a user’s browser. Based on the description, the likely attack vector is a crafted HTML page loaded in the browser, where the type confusion occurs. While the absence of a public exploit reduces immediate risk, the potential to escape the sandbox and execute code warrants a high diligence level for organizations that rely on Chrome for web browsing or web‑enabled applications. The CVSS score of 8.8 indicates a high severity rating.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.96`	affected	< 148.0.7778.96

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.96,148.0.7778.96)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 148.0.7778.96 or newer.
If an immediate update is not feasible, disable the WebRTC feature via a Chrome policy setting or by launching Chrome with the --disable-webrtc flag.
After making the update or policy change, restart Chrome so the new settings take effect.

Generated by OpenCVE AI on May 6, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/498753456

History

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Type Confusion in WebRTC Allows Remote Code Execution in Google Chrome

Wed, 06 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Wed, 06 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Wed, 06 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses		CWE-843
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498753456

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-06T18:13:03.605Z

Updated: 2026-05-07T03:55:59.001Z

Reserved: 2026-05-05T22:59:28.663Z

Link: CVE-2026-7988

Vulnrichment

Updated: 2026-05-06T18:51:22.639Z

NVD

Status : Analyzed

Published: 2026-05-06T19:16:49.677

Modified: 2026-05-06T23:20:36.123

Link: CVE-2026-7988

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T00:00:13Z

Weaknesses

CWE-843

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object