CVE-2026-9888 - Vulnerability Details

- chromium-browser: Use after free in WebView

Description

Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Published: 2026-05-28

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free condition in the WebView component of Google Chrome on Android. This represents a use‑after‑free (CWE‑416) that results in use of freed memory (CWE‑825). When a renderer process is already compromised, an attacker can serve a specially crafted HTML page that triggers the freed memory usage, potentially allowing execution of arbitrary code outside the browser sandbox. The flaw was classified as Critical by Chromium and could lead to full system compromise if exploited.

Affected Systems

Devices running Google Chrome for Android earlier than version 148.0.7778.216 are affected. The bug resides in the WebView implementation tied to the renderer process in those releases.

Risk and Exploitability

The flaw carries a CVSS score of 8.3 (High) and the EPSS score is less than 1 %. It is not listed in CISA’s KEV catalog. Exploitation requires an already compromised renderer process and the delivery of a crafted web page, making it a remote attack scenario that relies on browser interaction. Given the high severity and potential for system compromise, organizations should treat this as an urgent vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome for Android to version 148.0.7778.216 or later, which contains the fix for the WebView use‑after‑free bug.
If an immediate update is not possible, disable or restrict WebView usage for untrusted content by configuring app permissions or using content security policies.
Apply any available security patches from Google as soon as they are released and monitor official release notes for further updates.

Generated by OpenCVE AI on May 29, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/511715166
https://nvd.nist.gov/vuln/detail/CVE-2026-9888
https://www.cve.org/CVERecord?id=CVE-2026-9888

History

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Use-After-Free in Chrome Android WebView Enables Sandbox Escape	chromium-browser: Use after free in WebView
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9888 https://www.cve.org/CVERecord?id=CVE-2026-9888
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}` threat_severity `Critical`

Fri, 29 May 2026 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Use-After-Free in Chrome Android WebView Enables Sandbox Escape

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses		CWE-416
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511715166

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:13.359Z

Updated: 2026-05-30T03:56:37.579Z

Reserved: 2026-05-28T17:24:44.074Z

Link: CVE-2026-9888

Vulnrichment

Updated: 2026-05-29T14:54:59.705Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:46.787

Modified: 2026-05-29T16:16:34.930

Link: CVE-2026-9888

Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9888 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T16:30:02Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object