Description
Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-20
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow in the WebRTC component of Google Chrome allows a remote attacker to execute arbitrary code inside the browser sandbox by loading a specially crafted HTML page. The flaw is a classic buffer overflow, identified by CWE‑122, that can compromise the confidentiality and integrity of data handled by the browser and may lead to further compromise if the attack surface extends beyond the sandbox.

Affected Systems

Google Chrome users running any build prior to version 148.0.7778.179 are affected. The vulnerability is specific to the Chrome browser itself and does not directly impact the underlying operating system or other applications.

Risk and Exploitability

The vulnerability carries a high Chromium security severity rating and a CVSS score of 8.8; EPSS is not available. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to persuade a user to visit a malicious webpage or otherwise deliver a crafted page to the browser; the overflow occurs during normal processing of that page. Because the arbitrary code execution occurs within the sandbox, the risk of immediate system compromise is mitigated unless a separate sandbox escape is achieved. Nonetheless, the threat remains significant for users who download or view untrusted content.

Generated by OpenCVE AI on May 20, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.179 or newer
  • Disable the WebRTC feature in Chrome by setting the "WebRTC" flag to "Disabled" via chrome://flags or by using a browser extension that blocks the feature
  • Ensure that Chrome automatic updates are enabled and keep the operating system and security software updated to reduce exposure to related vulnerabilities

Generated by OpenCVE AI on May 20, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title WebRTC Heap Buffer Overflow Enables Remote Code Execution

Wed, 20 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-122
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-21T03:55:48.661Z

Reserved: 2026-05-20T17:39:23.683Z

Link: CVE-2026-9119

cve-icon Vulnrichment

Updated: 2026-05-20T19:36:16.035Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:43.387

Modified: 2026-05-20T20:16:43.387

Link: CVE-2026-9119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:45:40Z

Weaknesses