PatchSiren cyber security CVE debrief
CVE-2026-10022 Google CVE debrief
Type Confusion in V8 in Google Chrome prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium)
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations and individuals using Google Chrome browser, particularly those allowing browser extension installations. Security teams managing endpoint browser configurations and enterprise Chrome deployments.
Technical summary
A type confusion vulnerability in the V8 JavaScript engine of Google Chrome allowed arbitrary code execution within the sandbox environment when a user installed a malicious browser extension. The attack vector required social engineering to convince the victim to install the crafted extension. The vulnerability has been patched in Chrome 148.0.7778.216.
Defensive priority
medium
Recommended defensive actions
- Update Google Chrome to version 148.0.7778.216 or later to remediate this vulnerability.
- Review installed browser extensions and remove any that are unnecessary or from untrusted sources.
- Consider implementing enterprise policies to restrict extension installation to approved sources only.
- Monitor for suspicious extension installation requests as part of user security awareness training.
Evidence notes
The vulnerability is classified as CWE-843 (Type Confusion). The Chromium project assigned a Medium severity rating. The issue was resolved in Chrome stable channel update 148.0.7778.216.
Official resources
2026-05-28