Description
Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-14
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use–after–free bug in Chrome on Android before version 148.0.7778.168 allows a remote attacker who has already compromised the renderer process to run code outside the browser sandbox. The flaw can lead to execution of arbitrary code with the privileges of the renderer, potentially compromising the device. The weakness is identified as CWE-416 and CWE-825.

Affected Systems

The vulnerability affects Google Chrome on Android versions earlier than 148.0.7778.168. This includes all Android builds that ship the affected Chrome binary. No other products or operating systems are mentioned in the advisory.

Risk and Exploitability

The issue is rated critical by Chromium and has a CVSS score of 8.3. EPSS score not available. It is not listed in the CISA KEV catalog. The likely attack vector requires that the attacker already gain a foothold in the renderer process – which can be achieved through malicious web content or other supply‑chain techniques. Once that condition is satisfied, the use‑after‑free can be triggered by a crafted HTML page to escape the sandbox. Addressing the flaw with a patch is the preferred mitigation.

Generated by OpenCVE AI on May 15, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update (v148.0.7778.168 or newer) on all Android devices.
  • Configure Chrome to run with the least‑privilege sandbox in the Enterprise policy or use secure settings to disallow privileged features in the renderer.
  • Monitor network traffic and application logs for anomalous renderer behavior and report any suspicious activity to the security team.

Generated by OpenCVE AI on May 15, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in Input
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Use After Free Leading to Sandbox Escape in Chrome Android

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use After Free Leading to Sandbox Escape in Chrome Android
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:55.205Z

Reserved: 2026-05-14T05:40:11.173Z

Link: CVE-2026-8513

cve-icon Vulnrichment

Updated: 2026-05-14T21:03:57.608Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:11.957

Modified: 2026-05-14T22:16:45.557

Link: CVE-2026-8513

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-14T19:52:11Z

Links: CVE-2026-8513 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:30:45Z

Weaknesses