Description
Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug (CWE‑416) and an associated resource management issue (CWE‑825) in the Skia graphics engine of Google Chrome can trigger heap corruption when rendering a specially crafted HTML page. The CVE notes that this can potentially lead to arbitrary code execution or a denial of service; the possibility of RCE or DoS is inferred from that wording, as the description does not confirm a guaranteed exploit result.

Affected Systems

Google Chrome desktop installations with versions earlier than 148.0.7778.216 are affected; installing later stable releases mitigates the flaw.

Risk and Exploitability

The CVE indicates that any user who opens a crafted HTML page in Google Chrome could trigger the heap corruption, implying a remote attack vector. Although the EPSS score is not available, the absence of exploitation probability data and the lack of KEV listing suggest no known widespread exploits yet. The CVSS score of 8.8 indicates high severity. The combination of remote reach and the possible consequences of RCE or DoS indicates a high‑risk posture that warrants prompt mitigation.

Generated by OpenCVE AI on May 29, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.216 or newer.
  • If an update cannot be applied immediately, avoid opening untrusted HTML content that may trigger advanced rendering in Skia.
  • Use a sandboxed or alternative browser to isolate Chromium for browsing until the update is installed.

Generated by OpenCVE AI on May 29, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Skia Leading to Heap Corruption via Crafted HTML chromium-browser: Use after free in Skia
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Skia Leading to Heap Corruption via Crafted HTML
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T17:51:07.034Z

Reserved: 2026-05-28T17:24:52.089Z

Link: CVE-2026-9923

cve-icon Vulnrichment

Updated: 2026-05-29T17:49:40.488Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:50.407

Modified: 2026-05-29T19:16:29.767

Link: CVE-2026-9923

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9923 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:00:20Z

Weaknesses