Description
Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome browsers prior to version 148.0.7778.216 contain a use‑after‑free flaw in the Input subsystem that can lead to heap corruption when a user engages in specific UI gestures on a crafted HTML page. This weakness, classified as CWE-416 and CWE-825, could allow a remote attacker who convinces a user to interact with such a page to potentially execute arbitrary code on the host. The vulnerability is deemed high severity.

Affected Systems

All installations of Google Chrome that are running versions older than 148.0.7778.216 are potentially affected. The flaw is tied to the Input component of the browser and does not involve other products or browsers.

Risk and Exploitability

The attack requires the user to open a malicious page and perform particular UI actions, so it is a remote, user‑interaction‑dependent exploit with a CVSS score of 7.5 indicating high severity. The EPSS score is less than 1%, indicating a very low probability of exploitation, and the issue is not listed in CISA’s KEV catalog. Despite the low probability, the high severity rating and the potential for arbitrary code execution justify treating the vulnerability as a significant risk. Prompt application of the vendor‑issued fix is strongly recommended to mitigate this threat.

Generated by OpenCVE AI on May 29, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to 148.0.7778.216 or later via the built‑in update mechanism
  • Enable Chrome site‑isolation features to confine any potential compromise to a single process
  • Restrict script and gesture interactions on untrusted sites by configuring content settings or using extensions that block UI gestures

Generated by OpenCVE AI on May 29, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Input Enables Potential Heap Corruption via Crafted Web Page chromium-browser: Use after free in Input
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in Chrome Input Enables Potential Heap Corruption via Crafted Web Page
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T17:11:12.920Z

Reserved: 2026-05-28T17:24:54.351Z

Link: CVE-2026-9933

cve-icon Vulnrichment

Updated: 2026-05-29T17:11:08.862Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:51.417

Modified: 2026-05-29T18:27:09.793

Link: CVE-2026-9933

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9933 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses