Description
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in Chrome’s Accessibility module, allowing a remote attacker who has already compromised the renderer process to craft an HTML page that triggers memory corruption (CWE-416) and an authority bypass path (CWE-825). The bug enables attackers to execute code with the privileges of the renderer process and potentially elevate privileges on the host machine.

Affected Systems

All desktop installations of Google Chrome prior to version 148.0.7778.168 are affected. The flaw exists in the Accessibility component of the renderer process and therefore impacts all Chrome instances that use that component.

Risk and Exploitability

Chromium considers the severity high, reflected in a CVSS score of 7.5. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to already have control over the renderer, for example via a malicious webpage or injected process. Once that condition is met, the use‑after‑free can be triggered to execute code, leading to a full remote code execution. The lack of public exploitation data suggests a lower likelihood of widespread attack at this time, but the high severity and privilege‑elevation potential warrant prompt remediation.

Generated by OpenCVE AI on May 15, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.168 or newer as soon as possible.
  • Update any other installed Chromium‑based browsers to the latest available versions to mitigate similar vulnerabilities.
  • After the patch, continue to monitor for any anomalous renderer behavior or unauthorized code execution.

Generated by OpenCVE AI on May 15, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Accessibility Allows Privilege Escalation chromium-browser: chromium-browser: Use after free in Accessibility
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome Accessibility Allows Privilege Escalation

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:47.325Z

Reserved: 2026-05-14T05:40:21.510Z

Link: CVE-2026-8557

cve-icon Vulnrichment

Updated: 2026-05-14T20:48:44.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:17.467

Modified: 2026-05-14T21:19:23.923

Link: CVE-2026-8557

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:28Z

Links: CVE-2026-8557 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:15:51Z

Weaknesses