Description
Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-20
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free condition within the WebRTC engine of Google Chrome that permits a remote attacker to execute arbitrary code on a victim’s machine via a crafted HTML page. This flaw is categorized as CWE‑416 and was given a high severity designation by the Chromium security team.

Affected Systems

Affected systems include all Google Chrome installations with versions earlier than 148.0.7778.179. The issue exists in the stable channel build and any channels that ship older releases. Users who have updated to the 148.0.7778.179 build or later are no longer susceptible to this defect.

Risk and Exploitability

Only visiting a maliciously crafted web page can trigger the use‑after‑free, giving the attacker execution privileges on the client. The CVSS score is 8.8, indicating high severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, indicating no known exploits at this time. However, because the flaw grants full control of the client process the potential damage is severe, and the lack of mitigation in older Chrome releases creates a high‑risk target for attackers.

Generated by OpenCVE AI on May 20, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.179 or newer to apply the WebRTC memory safety patch.
  • If an upgrade cannot be performed immediately, disable WebRTC in Chrome by applying the `DisableWebRTC` policy or turning off the feature via Chrome flags, preventing the vulnerable code from executing.
  • Continuously monitor user environments for the presence of old Chrome versions and for anomalous network activity that may indicate exploitation attempts.

Generated by OpenCVE AI on May 20, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in WebRTC Enables Remote Code Execution Use‑After‑Free in WebRTC Enables Remote Code Execution via Crafted HTML Page

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Use-After-Free in WebRTC Enables Remote Code Execution

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-20T19:35:55.216Z

Reserved: 2026-05-20T17:39:24.115Z

Link: CVE-2026-9120

cve-icon Vulnrichment

Updated: 2026-05-20T19:35:48.095Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:43.600

Modified: 2026-05-20T20:16:43.600

Link: CVE-2026-9120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T22:30:40Z

Weaknesses