Description
Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free error located in the Base component of Google Chrome, versions prior to 148.0.7778.216. An attacker can deliver a specially crafted HTML page to a user’s browser and cause the use‑after‑free condition to trigger, giving the attacker the ability to execute arbitrary code with the privileges of the local user. This failure is classified as CWE‑416 and CWE‑825 and is considered a critical security flaw in Chromium’s terminology.

Affected Systems

Affected systems include all installations of Google Chrome that are not updated to at least version 148.0.7778.216. The problem exists on all supported platforms (Windows, macOS, Linux) as the Base component is cross‑platform. The issue occurs when a browser process parses an HTML file that contains code designed to exploit the memory bug; any user who opens the malicious page is at risk.

Risk and Exploitability

The CVSS score is 8.8, but the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog, so there is no publicly disclosed exploit known to be in use. Nevertheless, the attack path is straightforward: a remote attacker hosts a malicious page and lures a victim into visiting it. Because the flaw allows arbitrary code execution, the impact is severe. The risk remains high until browsers are updated.

Generated by OpenCVE AI on May 29, 2026 at 14:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later, which contains the patch that resolves the use‑after‑free condition.
  • Enable automatic updates in Chrome so that future security patches, including this fix, are applied without manual intervention.
  • If unable to upgrade immediately, use Chrome policy settings to restrict the execution of JavaScript in local or untrusted HTML files, thereby limiting the ability of crafted pages to trigger the flaw.

Generated by OpenCVE AI on May 29, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use after Free in Chrome Base Enables Remote Code Execution chromium-browser: Use after free in Base
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Use after Free in Chrome Base Enables Remote Code Execution

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T11:03:07.473Z

Reserved: 2026-05-28T17:24:43.035Z

Link: CVE-2026-9883

cve-icon Vulnrichment

Updated: 2026-05-29T10:39:44.831Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:46.267

Modified: 2026-05-29T18:43:05.703

Link: CVE-2026-9883

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:30:37Z

Weaknesses