CVE-2026-9939 - Vulnerability Details

- chromium-browser: Heap buffer overflow in WebCodecs

Description

Heap buffer overflow in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap buffer overflow exists in the WebCodecs component of Google Chrome prior to 148.0.7778.216. The flaw permits a remote attacker, through a specially crafted HTML page, to execute arbitrary code inside the browser sandbox. This is a traditional buffer overflow (CWE‑120 and CWE‑122). The impact is high, as direct code execution can allow an attacker to gain full control over the sandboxed browser process, potentially leading to further attacks if sandbox escape is achieved.

Affected Systems

Affected products are Google Chrome, specifically all releases before version 148.0.7778.216. Users on the Stable channel who have not applied the latest patch are at risk.

Risk and Exploitability

The flaw can be triggered simply by a victim viewing a malicious web page that contains crafted media. Chromium assigns a high severity, with a CVSS score of 8.8. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector is remote and the impact is complete arbitrary code execution within the browser sandbox, the overall risk remains significant for unpatched users, although the low EPSS suggests current exploit activity is limited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`148.0.7778.216`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 148.0.7778.216 or newer
If an immediate update is not possible, disable WebCodecs by opening chrome://flags/#enable-webcodecs and setting it to "Disabled" or use an extension that blocks media decoding
Run the browser in an isolated or sandboxed environment and enforce strict Content Security Policy headers for any hosted content

Generated by OpenCVE AI on May 29, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/502735235
https://nvd.nist.gov/vuln/detail/CVE-2026-9939
https://www.cve.org/CVERecord?id=CVE-2026-9939

History

Fri, 29 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Fri, 29 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Heap Buffer Overflow in WebCodecs Allows Remote Code Execution	chromium-browser: Heap buffer overflow in WebCodecs
Weaknesses		CWE-120
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9939 https://www.cve.org/CVERecord?id=CVE-2026-9939
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 29 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Title		Heap Buffer Overflow in WebCodecs Allows Remote Code Execution

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Heap buffer overflow in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-122
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502735235

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:30.843Z

Updated: 2026-05-29T12:39:52.373Z

Reserved: 2026-05-28T17:24:55.812Z

Link: CVE-2026-9939

Vulnrichment

Updated: 2026-05-29T12:39:46.627Z

NVD

Status : Analyzed

Published: 2026-05-28T23:16:52.023

Modified: 2026-05-29T17:13:00.720

Link: CVE-2026-9939

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9939 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T15:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object