Description
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use after free vulnerability in the Media component of Google Chrome prior to version 148.0.7778.168 allows a remote attacker to execute arbitrary code inside the sandbox by loading a crafted HTML page. The flaw is a classic use‑after‑free bug (CWE‑416) and improper resource release (CWE‑825), and is considered a high severity issue by the Chromium security team.

Affected Systems

Google Chrome desktop versions older than 148.0.7778.168 on the stable channel are affected. The vulnerability exists in the Media library that handles HTML content.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity impact. EPSS score is not available, so exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA KEV catalogue. The description indicates that a remote attacker can exploit the flaw by serving or delivering a crafted HTML page that triggers the use of freed memory. Because the flaw allows arbitrary code execution within Chrome’s sandbox, the attacker gains the privileges granted to the sandboxed process. No additional conditions are described in the CVE data.

Generated by OpenCVE AI on May 15, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.168 or newer on all affected machines
  • Configure Chrome’s automatic update settings to ensure the latest patch is installed without user intervention
  • If an immediate upgrade is impossible, restrict the execution of untrusted local HTML files or block external content from untrusted sources using enterprise policies
  • Monitor browsing activity for anomalous HTML or media loading patterns that could indicate exploitation attempts

Generated by OpenCVE AI on May 15, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in Media
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Media enabling remote code execution via crafted HTML

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Media enabling remote code execution via crafted HTML

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:30.076Z

Reserved: 2026-05-14T05:40:18.744Z

Link: CVE-2026-8544

cve-icon Vulnrichment

Updated: 2026-05-14T20:36:51.492Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:15.270

Modified: 2026-05-14T21:19:23.923

Link: CVE-2026-8544

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:24Z

Links: CVE-2026-8544 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:15:51Z

Weaknesses