CVE-2026-8529 Apple CVE debrief

Who should care

Organizations and individuals running Google Chrome versions earlier than 148.0.7778.168, especially endpoints that routinely consume untrusted web content or video files. Security teams managing browser patching should treat this as a high-priority browser update.

Technical summary

The NVD record identifies a heap buffer overflow, mapped to CWE-122, affecting Google Chrome’s codecs. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network reachability with user interaction required. The reported impact is remote code execution inside a sandbox via a crafted video file. NVD’s vulnerable CPE entry ends at Chrome 148.0.7778.168, indicating that builds prior to that release are affected.

Defensive priority

High. This is a remotely reachable browser memory corruption issue with potential code execution and broad confidentiality/integrity/availability impact, though it requires user interaction. Browser updates should be prioritized quickly on exposed fleets.

Recommended defensive actions

• Update Google Chrome to 148.0.7778.168 or later.
• Verify managed and unmanaged endpoints are no longer on affected Chrome builds.
• Prioritize patching for systems that regularly open untrusted or externally supplied media content.
• Track vendor release notes and deployment status to confirm the fix is fully rolled out.

Evidence notes

NVD marks the record as analyzed and links to Google’s Chrome stable-channel update and Chromium issue 490222151. The source corpus attributes the vulnerability to Google Chrome, not an operating system component. The CVSS vector and CWE-122 mapping are taken from the NVD metadata; the description states exploitation via a crafted video file and code execution inside a sandbox.

Official resources