Description
Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE‑787 out‑of‑bounds write that occurs within the Media component of Google Chrome on desktop platforms. A maliciously crafted HTML document can trigger the defect when processed by a renderer that has been compromised by an attacker. This defect can lead the compromised renderer to escape the browser sandbox, allowing the attacker to execute arbitrary code with the privileges of the user that launched Chrome.

Affected Systems

Google Chrome versions before 148.0.7778.168 on Windows, macOS, and Linux are affected. Users running Chrome 147 or older, or any 148 release earlier than build 148.0.7778.168, are at risk until they upgrade to the patched version.

Risk and Exploitability

Chromium labels the issue as high severity, reflected in a CVSS score of 8.3, but no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog, indicating that no publicly available exploits are known at this time. Exploitation would require an attacker to first compromise or coerce the renderer process, commonly through malicious web content; once that is achieved, the out‑of‑bounds write could lead to a sandbox escape. The risk is therefore high if users run susceptible versions and visit untrusted websites, but lower if the renderer remains uncompromised. Immediate patching mitigates the threat.

Generated by OpenCVE AI on May 14, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.168 or later as released by Google.
  • If an update is not immediately possible, refrain from using the affected Chrome version and limit exposure to untrusted web content; consider using a sandboxed browsing environment or a different browser.
  • Run Chrome with normal user privileges (not as admin) and keep the default sandbox features enabled; keep endpoint protection software active to detect anomalous memory corruption events.

Generated by OpenCVE AI on May 14, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in Chrome Media Enables Possible Sandbox Escape chromium-browser: chromium-browser: Out of bounds write in Media
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in Chrome Media Enables Possible Sandbox Escape

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-787
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T09:55:34.464Z

Reserved: 2026-05-14T05:40:19.616Z

Link: CVE-2026-8548

cve-icon Vulnrichment

Updated: 2026-05-14T21:18:41.542Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:15.700

Modified: 2026-05-14T22:16:48.700

Link: CVE-2026-8548

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:25Z

Links: CVE-2026-8548 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T23:30:31Z

Weaknesses