CVE-2026-9976 - Vulnerability Details

- chromium-browser: Inappropriate implementation in USB

Description

Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from an inadequate USB implementation in Google Chrome before version 148.0.7778.216. A remote attacker who can craft a malicious HTML page can exploit this flaw, triggering arbitrary code execution in the browser. Chromium lists the issue as High severity, indicating significant risk to confidentiality and system integrity.

Affected Systems

Affected systems are all installations of Google Chrome up to and including version 148.0.7778.216. The mitigation applies to Chrome running on Windows, macOS, Linux, and other supported platforms, as all rely on the same USB handling code that contains the flaw.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is < 1%, which suggests a low probability of exploitation, yet the risk remains significant because the flaw allows arbitrary code execution. The vulnerability can be triggered remotely through a crafted HTML page served from an attacker‑controlled site, meaning any user who opens that page with Chrome is at risk. The flaw is not listed in CISA's KEV catalog, yet the potential for arbitrary code execution warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to the latest stable release, ensuring the version is at least 148.0.7778.216, which includes the USB handling fix.
On systems where the update cannot be applied immediately, enforce strict USB device control policies or block USB device usage via group policy or configuration to prevent the exploited pathway.
Deploy web filtering or content‑security‑policy rules to block or flag suspicious HTML pages that attempt to interact with USB devices, and monitor browser logs for anomalous USB access requests.

Generated by OpenCVE AI on May 29, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/511732828
https://nvd.nist.gov/vuln/detail/CVE-2026-9976
https://www.cve.org/CVERecord?id=CVE-2026-9976

History

Fri, 29 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Fri, 29 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-79

Fri, 29 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Remote Code Execution via USB Exploit in Chrome	chromium-browser: Inappropriate implementation in USB
Weaknesses		CWE-94
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9976 https://www.cve.org/CVERecord?id=CVE-2026-9976
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 29 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 29 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via USB Exploit in Chrome
Weaknesses		CWE-119 CWE-79

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511732828

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:42.786Z

Updated: 2026-05-29T12:34:56.989Z

Reserved: 2026-05-28T17:25:05.969Z

Link: CVE-2026-9976

Vulnrichment

Updated: 2026-05-29T12:34:53.257Z

NVD

Status : Analyzed

Published: 2026-05-28T23:16:55.833

Modified: 2026-05-29T16:43:46.580

Link: CVE-2026-9976

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9976 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T15:00:17Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object