Description
Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in the WebAudio engine of Google Chrome that exists in all releases prior to version 148.0.7778.168. A maliciously crafted HTML page can trigger the overflow, allowing a remote attacker to execute arbitrary code inside the browser’s sandbox. This flaw provides a pathway for code execution and, if the sandbox is bypassed, could lead to privilege escalation within the system.

Affected Systems

The affected product is Google Chrome. All releases before Chrome 148.0.7778.168 are impacted. Users must verify that they are running Chrome 148.0.7778.168 or newer before the fix is deployed.

Risk and Exploitability

The vulnerability carries a high severity rating from Chromium. No EPSS score is currently available, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit this issue remotely by serving a malicious web page to a user, exploiting the out‑of‑bounds write from the browser’s context. Because the attack vector is web‑based, any user who visits the crafted page is at risk, and there is no requirement for local privileges or user interaction beyond normal browsing. The CVSS score is 8.8, indicating a high severity level.

Generated by OpenCVE AI on May 14, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (148.0.7778.168 or newer).
  • Configure Chrome Enterprise policies to enforce automatic updates and block older versions.
  • If updating is not immediately possible, disable the WebAudio flag via chrome://flags or a policy to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 14, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Out of bounds write in WebAudio
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in Chrome WebAudio Enables Remote Code Execution

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in Chrome WebAudio Enables Remote Code Execution

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-787
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:57:29.743Z

Reserved: 2026-05-14T05:40:13.831Z

Link: CVE-2026-8524

cve-icon Vulnrichment

Updated: 2026-05-14T21:41:37.008Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:13.180

Modified: 2026-05-14T22:16:46.550

Link: CVE-2026-8524

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:16Z

Links: CVE-2026-8524 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T00:00:06Z

Weaknesses