Description
Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-05-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome on Windows contains a use‑after‑free flaw in its XR subsystem. If an attacker has already compromised a renderer process, they can send a specially crafted HTML page that triggers access to freed memory, potentially escaping Chrome’s sandbox. The weakness is classified as CWE‑416 and is deemed Critical by Chromium, indicating that successful exploitation could let the attacker execute arbitrary code outside the browser context.

Affected Systems

Google Chrome on Windows versions prior to 148.0.7778.216 are affected. Administrators should verify local installations of Chrome to ensure they are not running any earlier version of the browser.

Risk and Exploitability

The exploit requires the renderer process to be compromised, making it a non‑trivial remote attack that does not rely on a plain web page. No EPSS data are available and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 9.0, indicating a Critical severity. Because the flaw is in the browser’s sandbox, successful exploitation could allow an attacker to break out and potentially compromise the host system, so the risk remains high for systems still using affected Chrome versions.

Generated by OpenCVE AI on May 29, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Chrome update to version 148.0.7778.216 or newer to remove the use‑after‑free bug.
  • If a patch cannot be applied immediately, disable the WebXR feature by clearing or blocking the browser flag chrome://flags/#enable-webxr, or enforce an administrative policy that blocks XR content in all Chrome instances.
  • Enhance endpoint protection and monitor for suspicious renderer process activity. Ensure Chrome’s sandbox or Windows AppContainer features are in use to limit damage from a potential escape.

Generated by OpenCVE AI on May 29, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-after-Free in Chrome XR Allows Sandbox Escape via Crafted HTML chromium-browser: Use after free in XR
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Fri, 29 May 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Use-after-Free in Chrome XR Allows Sandbox Escape via Crafted HTML

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T14:53:59.696Z

Reserved: 2026-05-28T17:24:44.477Z

Link: CVE-2026-9890

cve-icon Vulnrichment

Updated: 2026-05-29T14:53:55.825Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:46.983

Modified: 2026-05-29T16:16:35.223

Link: CVE-2026-9890

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:30:37Z

Weaknesses