PatchSiren cyber security CVE debrief
CVE-2026-8551 Google CVE debrief
Use-after-free vulnerability in Google Chrome's Downloads component enables remote code execution through crafted HTML pages and user interaction.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-19
Who should care
Organizations with managed Chrome deployments, security teams monitoring browser-based attack vectors, and end users on unpatched Chrome versions prior to 148.0.7778.168.
Technical summary
A use-after-free condition in Chrome's Downloads implementation allows memory corruption when processing crafted HTML pages. Successful exploitation requires convincing a user to perform specific UI interactions, after which arbitrary code execution occurs in the browser context. The vulnerability is classified as High severity by Chromium security team.
Defensive priority
high
Recommended defensive actions
- Upgrade Google Chrome to version 148.0.7778.168 or later.
- Restrict user execution of untrusted HTML content via browser policies.
- Monitor for anomalous download-related browser crashes as potential exploitation indicators.
Evidence notes
CVE published 2026-05-14; NVD entry modified 2026-05-19. Vendor advisory confirms fix in Chrome 148.0.7778.168. Chromium issue tracker reference requires permissions. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2026-8551 CVE record
CVE.org
-
CVE-2026-8551 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Vendor Advisory
-
Source reference
[email protected] - Permissions Required
2026-05-14