Description
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Chrome's GPU subsystem allows a remote attacker to execute arbitrary code inside the browser sandbox through a specially crafted HTML page. The vulnerability can be triggered by loading malicious content, enabling the attacker to run code with sandbox privileges, potentially compromising the user’s system or data.

Affected Systems

Google Chrome browsers with versions earlier than 148.0.7778.168 are affected. The issue resides in the GPU module and impacts the stable channel, as noted by Google’s security release for that version.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity, and the Chromium Medium severity rating corroborates significant risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers likely require the victim to open an attacker‑crafted HTML page, possibly delivered via social engineering or a compromised site. Successful exploitation yields remote code execution confined to the sandbox, but an attacker could leverage that foothold to breach sandbox boundaries if additional vulnerabilities exist.

Generated by OpenCVE AI on May 15, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.168 or later.
  • If upgrading immediately is not possible, launch Chrome with the '--disable-gpu' flag to prevent GPU usage and mitigate exploitation.
  • Avoid loading untrusted HTML content that could contain GPU‑based exploit payloads.

Generated by OpenCVE AI on May 15, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Use after free in GPU
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title GPU Use-After-Free Allows Remote Code Execution in Google Chrome
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title GPU Use-After-Free Allows Remote Code Execution in Google Chrome

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:24.188Z

Reserved: 2026-05-14T05:40:26.995Z

Link: CVE-2026-8581

cve-icon Vulnrichment

Updated: 2026-05-14T20:36:47.232Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:20.470

Modified: 2026-05-14T21:19:23.923

Link: CVE-2026-8581

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:42Z

Links: CVE-2026-8581 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T15:00:14Z

Weaknesses