Description
Use after free in WebXR in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free defect in Chrome’s WebXR component allows a crafted HTML page to trigger arbitrary code execution inside the browser sandbox. The flaw is categorized as CWE‑416 and CWE‑825, granting an attacker the ability to run code within the confined environment that Chrome uses for rendering web content.

Affected Systems

Google Chrome versions earlier than 148.0.7778.216 are affected. All builds of the stable channel released before that version contain the vulnerability.

Risk and Exploitability

Chromium assigns a high severity rating to this vulnerability, with a CVSS score of 8.8. The EPSS score is < 1%, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the flaw can be triggered by any web page that the user opens, leading to code execution inside the sandboxed process. No publicly known exploits have been reported, but the security impact is considered high.

Generated by OpenCVE AI on May 29, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.216 or later using the Stable channel update released by Google.
  • If an immediate upgrade is not possible, disable the WebXR API through Chrome settings or enforce an enterprise policy such as DisableWebXR to block the vulnerable code path.
  • Review and remove or update any WebXR content on sites you control until the patch is applied, thereby reducing the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in WebXR Permits Remote Code Execution chromium-browser: Use after free in WebXR
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in WebXR Permits Remote Code Execution

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Use after free in WebXR in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T10:57:40.051Z

Reserved: 2026-05-28T17:25:10.130Z

Link: CVE-2026-9995

cve-icon Vulnrichment

Updated: 2026-05-29T10:22:13.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:57.730

Modified: 2026-05-29T16:40:56.180

Link: CVE-2026-9995

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9995 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:00:17Z

Weaknesses