Description
Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overrun in the WebRTC component of Google Chrome allows a remote attacker to craft an HTML page that, when rendered, causes an out‑of‑bounds write. This overflow can lead to arbitrary code execution inside the browser’s sandbox, potentially compromising the user’s system and data.

Affected Systems

Google Chrome versions prior to 148.0.7778.168 are affected. The vulnerability is present in the Chrome browser, as listed by the CNA, with no other vendor or product currently included in the report.

Risk and Exploitability

The CVSS score is 8.8, but the Chromium severity is marked high and the exploit is limited to a crafted HTML page viewed in the browser. No EPSS score is available and the vulnerability is not cataloged in CISA’s KEV. Because the attack vector requires a user to open a malicious page, the likelihood depends on phishing or social engineering context, but the impact remains severe if exploited.

Generated by OpenCVE AI on May 14, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.168 or later.
  • Where immediate upgrade is impossible, temporarily disable WebRTC via Chrome settings or enterprise policy to block the vulnerable path.
  • Continuously monitor users for anomalous browser activity and keep up with future security updates.

Generated by OpenCVE AI on May 14, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Out of bounds write in WebRTC
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write in Chrome WebRTC Allows Remote Code Execution

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write in Chrome WebRTC Allows Remote Code Execution
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-787
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:57:31.145Z

Reserved: 2026-05-14T05:40:14.322Z

Link: CVE-2026-8526

cve-icon Vulnrichment

Updated: 2026-05-14T21:42:14.686Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:13.407

Modified: 2026-05-14T22:16:46.837

Link: CVE-2026-8526

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:17Z

Links: CVE-2026-8526 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T00:00:06Z

Weaknesses