Description
Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow occurs while parsing XML documents in Google Chrome versions prior to 148.0.7778.168. The flaw allows an attacker to supply a malicious HTML page that, when viewed, causes the browser to execute arbitrary code inside its sandbox. This behaviour is classified as a high‑severity vulnerability by Chromium. The potential outcome is that the attacker can manipulate the browser process, potentially compromising the confidentiality or integrity of data visible to the browser, but the description does not indicate a guaranteed escape from the sandbox to the host operating system.

Affected Systems

Google Chrome for desktop operating systems. Any installation of Chrome older than version 148.0.7778.168 is susceptible. Chrome version 148.0.7778.168 and newer contain the fix.

Risk and Exploitability

The vulnerability can be triggered remotely via a crafted HTML page, requiring no authentication or local privileges. The CVSS score of 8.8 is reported, indicating high severity. EPSS is not available and the vulnerability is not listed in CISA KEV, indicating no known large‑scale exploitation campaigns. Nonetheless, the ability to run arbitrary code within the browser sandbox presents a serious risk to systems that allow untrusted web content.

Generated by OpenCVE AI on May 15, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.168 or later
  • If an immediate upgrade is not feasible, configure browser policies to restrict loading of external content or block XML parsing
  • Implement a strict Content Security Policy that prevents execution of untrusted scripts
  • Monitor browser logs for anomalous XML parsing errors or unexpected process behavior

Generated by OpenCVE AI on May 15, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome XML Parsing Enables Remote Code Execution chromium-browser: chromium-browser: Integer overflow in XML
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome XML Parsing Enables Remote Code Execution

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:39.106Z

Reserved: 2026-05-14T05:40:15.754Z

Link: CVE-2026-8532

cve-icon Vulnrichment

Updated: 2026-05-14T20:45:57.357Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:14.030

Modified: 2026-05-14T21:19:23.923

Link: CVE-2026-8532

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:19Z

Links: CVE-2026-8532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:00:21Z

Weaknesses