CVE-2026-8517 Google CVE debrief

Who should care

macOS users and administrators running Google Chrome; organizations with bring-your-own-device policies; security teams monitoring browser-based attack vectors; developers implementing WebShare functionality in web applications

Technical summary

The vulnerability exists in Chrome's WebShare API implementation on macOS, where improper object lifecycle management can lead to use-after-free or similar memory corruption conditions. When a user interacts with a crafted HTML page that manipulates WebShare through specific UI gestures, the corrupted state can be exploited to execute arbitrary code in the browser context. The attack vector is network-based with low complexity, requiring only that a user be convinced to perform the triggering actions. The fix in 148.0.7778.168 corrects the lifecycle handling to prevent the exploitable condition.

Defensive priority

critical

Recommended defensive actions

• Update Google Chrome to version 148.0.7778.168 or later on all macOS endpoints
• Review and restrict WebShare API usage in enterprise environments where not required
• Deploy browser update policies to ensure automatic patching
• Monitor for suspicious HTML pages attempting to trigger WebShare UI gestures
• Consider disabling WebShare via enterprise policy if functionality is not business-critical

Evidence notes

Primary sources: NVD record with Chrome Release Blog advisory and Chromium issue tracker reference. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. CWE-664 (Improper Control of a Resource Through its Lifetime) identified. Fixed version: 148.0.7778.168.

Official resources