Description
Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)
Published: 2026-05-28
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free in Chrome's Bluetooth code allows a malicious extension to trigger a memory error that may lead to a sandbox escape. The flaw is triggered when an attacker convinces a user to install a crafted Chrome Extension on macOS. The Chromium security team has rated the issue as Critical, and the defect originates from improper deallocation of memory used by the Bluetooth stack, which an attacker can exploit to run untrusted code outside the browser sandbox.

Affected Systems

The vulnerability affects Chrome for macOS versions earlier than 148.0.7778.216. Users running such versions are at risk if they install arbitrary extensions from sites that are not part of the Chrome Web Store or that are otherwise malicious. Google Chrome distributes subsequent releases that contain the fix.

Risk and Exploitability

Because the EPSS score is <1% and the issue is not listed in CISA KEV, formal exploitation data is limited. Nevertheless, the correct attack path requires social engineering to have a user install a bad extension, a commonly observed attack technique. The CVSS score of 9 indicates high severity in line with the Chromium security team's Critical classification. The low EPSS suggests the likelihood of exploitation is low, but the possibility of sandbox escape means the risk remains high for any Mac system running an affected Chrome version. An exploitable code path exists if the browser code runs with insufficient isolation when the freed memory is accessed.

Generated by OpenCVE AI on May 29, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.216 or later on macOS.
  • Remove any extensions that were installed before the update, especially those that appear suspicious or untrusted.
  • Limit extensions to those from the Chrome Web Store and enable Chrome's extension permission warnings to detect dangerous permission requests.

Generated by OpenCVE AI on May 29, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Potential Sandbox Escape in Chrome Bluetooth on macOS chromium-browser: Use after free in Bluetooth
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Fri, 29 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Potential Sandbox Escape in Chrome Bluetooth on macOS

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-30T03:56:39.801Z

Reserved: 2026-05-28T17:24:42.536Z

Link: CVE-2026-9881

cve-icon Vulnrichment

Updated: 2026-05-29T14:57:31.691Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:46.047

Modified: 2026-05-29T16:16:34.497

Link: CVE-2026-9881

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9881 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:00:04Z

Weaknesses