Description
Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)
Published: 2026-05-20
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in the QUIC implementation of Google Chrome allows a remote attacker to trigger arbitrary code execution inside the browser sandbox via malicious network traffic. This vulnerability is classified as high severity by Chromium’s security team and can compromise the execution environment of the user’s browser.

Affected Systems

Google Chrome versions older than 148.0.7778.179 are affected. The issue is tied to the QUIC protocol stack in these older releases.

Risk and Exploitability

Exploitation requires an attacker to send specially crafted QUIC traffic to a user’s Chrome instance. No EPSS data is publicly available, and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 8.8 indicates high severity, suggesting that if exploited, the attacker could achieve code execution confined to the browser’s sandbox, potentially escalating to system compromise if additional vulnerabilities are present.

Generated by OpenCVE AI on May 20, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.179 or later
  • Disable the QUIC protocol via Chrome flags or policy settings if an update cannot be applied immediately
  • Configure network defenses to monitor or block anomalous QUIC traffic on UDP port 443

Generated by OpenCVE AI on May 20, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use‑after‑Free in QUIC Allows Remote Code Execution in Chrome

Wed, 20 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Use‑after‑Free in QUIC Allows Remote Code Execution in Chrome

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-21T03:55:46.447Z

Reserved: 2026-05-20T17:39:21.421Z

Link: CVE-2026-9114

cve-icon Vulnrichment

Updated: 2026-05-20T19:39:27.300Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:42.427

Modified: 2026-05-20T20:16:42.427

Link: CVE-2026-9114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:30:36Z

Weaknesses