Description
Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uninitialized data use (CWE-457) and improper initialization handling (CWE-824) in the Gamepad API of Chrome for macOS allow a remote attacker who has compromised the renderer process to potentially achieve a sandbox escape via a crafted HTML page. This flaw enables arbitrary code execution on the host, compromising confidentiality, integrity, and availability of the affected machine.

Affected Systems

The vulnerability is present in Google Chrome for macOS versions prior to 148.0.7778.216. Versions from 148.0.7778.216 onward include the fix and are not affected.

Risk and Exploitability

The CVSS score of 9.0 indicates a high severity, while the EPSS score of <1% reflects a low current exploitation probability. Based on the description, it is inferred that the likely attack vector is a crafted HTML page delivered to a renderer process that has already been compromised, requiring user interaction with malicious web content. Although the vulnerability is not listed in CISA’s KEV catalog, the high potential for arbitrary code execution warrants immediate action.

Generated by OpenCVE AI on May 29, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.216 or newer.
  • Run Chrome with the --disable-features=Gamepad flag to disable the vulnerable API.
  • Isolate renderer processes and enforce strict sandboxing policies to limit the impact of any compromised renderer.

Generated by OpenCVE AI on May 29, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in Gamepad API Allows Potential Sandbox Escape in Google Chrome on macOS chromium-browser: Uninitialized Use in Gamepad
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Use in Gamepad API Allows Potential Sandbox Escape in Google Chrome on macOS

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T15:58:58.959Z

Reserved: 2026-05-28T17:25:05.110Z

Link: CVE-2026-9972

cve-icon Vulnrichment

Updated: 2026-05-29T15:58:55.544Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:55.407

Modified: 2026-05-29T16:16:39.317

Link: CVE-2026-9972

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9972 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses