CVE-2026-8539 Google CVE debrief

Who should care

Organizations with mobile workforces using Android devices, developers relying on SanitizerAPI for client-side HTML sanitization, and security teams monitoring for browser-based attack vectors should prioritize this update. The UXSS nature of this vulnerability makes it particularly concerning for applications that process untrusted HTML content.

Technical summary

The vulnerability exists in the SanitizerAPI implementation within Google Chrome for Android. A crafted HTML page could bypass sanitization controls, enabling injection of arbitrary scripts or HTML content. This represents a Universal XSS (UXSS) condition where the attacker does not need to find an XSS vulnerability in a specific website but can instead exploit the browser's sanitization mechanism directly. The attack requires network access and user interaction (e.g., visiting a malicious page). Successful exploitation could lead to information disclosure and limited integrity impacts within the browser context.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Android to version 148.0.7778.168 or later to remediate the SanitizerAPI script injection vulnerability.
• Monitor for unexpected script execution in web applications utilizing SanitizerAPI on affected Chrome Android versions.
• Review application logs for suspicious HTML or script injection attempts targeting Android Chrome users prior to the patch date.

Evidence notes

Vulnerability confirmed through official Chrome release notes and Chromium issue tracker. CPE criteria confirm affected product as Google Chrome on Android with version boundary prior to 148.0.7778.168. CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N supports network attack vector with user interaction required.

Official resources