PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8512 Apple CVE debrief

CVE-2026-8512 is a memory-safety issue in Google Chrome’s FileSystem component. According to the CVE record, a remote attacker who persuades a user to perform specific UI gestures on a crafted HTML page may potentially trigger a sandbox escape in Chrome versions prior to 148.0.7778.168. NVD rates the issue with a CVSS 3.1 vector of AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, reflecting remote reach, required user interaction, and high potential impact.

Vendor
Apple
Product
Unknown
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Security teams managing Chrome desktop deployments, browser update pipelines, endpoint defenders, and anyone responsible for environments where users can browse untrusted web content. This is especially relevant where Chrome versions may lag behind 148.0.7778.168.

Technical summary

The vulnerability is described as a use-after-free in Chrome’s FileSystem code path, with CWE-416 listed in the NVD record. The issue is remotely reachable through a crafted HTML page, but exploitation depends on user interaction and specific UI gestures. NVD’s affected CPE entry marks Google Chrome versions before 148.0.7778.168 as vulnerable. The CVSS vector also indicates a changed scope, consistent with the reported potential sandbox escape.

Defensive priority

High priority. Although exploitation requires user interaction and is rated with high attack complexity, the issue is in a browser component, is remotely reachable, and is described as potentially enabling sandbox escape. Patch deployment should be expedited for any Chrome fleet still below 148.0.7778.168.

Recommended defensive actions

  • Update Google Chrome to 148.0.7778.168 or later on all affected desktops as soon as possible.
  • Verify browser version compliance across managed endpoints, VDI images, and software catalogs.
  • Prioritize remediation for users with routine exposure to untrusted web content or elevated business impact from browser compromise.
  • Monitor vendor advisories and browser update channels for any follow-on fixes or rollback guidance.
  • Use standard browser hardening controls, but do not rely on them as a substitute for the version update.

Evidence notes

CVE published 2026-05-14 and last modified 2026-05-18. The NVD record is marked Analyzed and includes a Google Chrome vendor advisory reference plus a Chromium issue reference. NVD’s affected CPE criteria identify Google Chrome as vulnerable before 148.0.7778.168, and the weakness mapping cites CWE-416. The CVSS vector supplied by NVD is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. Note: the supplied vendor metadata contains an Apple mapping from nvd_cpe, but the vulnerability details and references are explicitly for Google Chrome; this should be treated as a metadata inconsistency rather than a basis for changing the technical description.

Official resources

Publicly disclosed in the official CVE/NVD records on 2026-05-14, with a NVD update on 2026-05-18. The supplied references point to Google Chrome and Chromium project material associated with the issue.