Description
Use after free in Browser in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free vulnerability in the Chrome browser on macOS allows a malicious HTML page to cause the browser to execute arbitrary code. The flaw is triggered when the browser mismanages memory following the rendering of a crafted page, enabling the attacker to run native code with the user’s privileges, which could lead to full compromise of the affected machine.

Affected Systems

Google Chrome for macOS versions earlier than 148.0.7778.216 are impacted; the issue is specific to the browser component on Mac and does not extend to other Google products.

Risk and Exploitability

The CVSS score of 8.8 confirms a high severity, aligning with Chromium’s own Critical severity rating. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote: an attacker can serve or host a specially crafted HTML page that a user opens in Chrome, triggering the use‑after‑free condition and enabling arbitrary code execution.

Generated by OpenCVE AI on May 29, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or newer on macOS
  • Enable automatic updates for Chrome so the browser can receive future patches automatically
  • Disable or remove extensions or settings that allow loading untrusted custom HTML until the patch is applied

Generated by OpenCVE AI on May 29, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Mac Use‑After‑Free Exploit Allowing Remote Code Execution chromium-browser: Use after free in Browser
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Chrome Mac Use‑After‑Free Exploit Allowing Remote Code Execution

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Browser in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-30T03:55:45.191Z

Reserved: 2026-05-28T17:24:43.262Z

Link: CVE-2026-9884

cve-icon Vulnrichment

Updated: 2026-05-29T10:38:42.735Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:46.383

Modified: 2026-05-29T18:41:25.400

Link: CVE-2026-9884

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9884 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T13:45:45Z

Weaknesses