Description
Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in Chrome’s codec implementation on Windows, present in versions prior to 148.0.7778.168, can be triggered by a crafted video file. When exploited, the overflow potentially allows a sandbox escape, giving an attacker the possibility to execute code outside the browser’s security boundaries. The vulnerability is rated Medium by Chromium’s severity scale, indicating a significant impact but not an immediately critical flaw.

Affected Systems

Google Chrome for Windows users running any version earlier than 148.0.7778.168 are affected. The issue does not impact other operating systems or browsers, only the Chrome Windows build uses the vulnerable codec logic.

Risk and Exploitability

Because the vulnerability requires an attacker to supply a malicious video file that the user or a web page feeds into Chrome, the attack vector is remote via web content or a file download. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. The CVSS score of 8.3 labels this flaw as high severity, and the potential for sandbox escape means that an exploit could provide the attacker with process privileges on the victim’s machine. The risk is moderate to high for users who regularly view untrusted video content, so applying the fix promptly is advisable.

Generated by OpenCVE AI on May 15, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.168 or newer to receive the security fix
  • Make sure Chrome’s auto‑update feature is enabled so that future patches are applied automatically
  • In enterprise or managed environments, enforce policy updates to ensure all Chrome installations remain current

Generated by OpenCVE AI on May 15, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome Windows Codecs Enables Sandbox Escape chromium-browser: chromium-browser: Integer overflow in Codecs
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 15 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Chrome Windows Codecs Enables Sandbox Escape

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:57:14.707Z

Reserved: 2026-05-14T05:40:25.174Z

Link: CVE-2026-8573

cve-icon Vulnrichment

Updated: 2026-05-14T21:18:47.045Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:19.610

Modified: 2026-05-14T22:16:50.750

Link: CVE-2026-8573

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:34Z

Links: CVE-2026-8573 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:45:16Z

Weaknesses