PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8552 Google CVE debrief

A heap buffer overflow vulnerability in the GPU component of Google Chrome on Android allows remote attackers to perform out-of-bounds memory writes via crafted HTML pages. The vulnerability, classified with High severity by Chromium security, affects Chrome versions prior to 148.0.7778.168 on Android. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector with low attack complexity, requiring no privileges but user interaction through rendering a malicious page. The root cause is identified as CWE-122 (Heap-based Buffer Overflow). Google addressed this vulnerability in the May 2026 stable channel security update. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-19
Advisory published
2026-05-14
Advisory updated
2026-05-19

Who should care

Android device users running Google Chrome; mobile security administrators; organizations with BYOD Android policies; security teams monitoring browser-based attack vectors

Technical summary

The vulnerability exists in the GPU processing component of Google Chrome on Android, where improper bounds checking enables heap buffer overflow conditions when processing crafted HTML content. Successful exploitation could allow attackers to corrupt memory and potentially achieve code execution within the Chrome sandbox context. The attack requires user interaction to visit a malicious page, with no authentication required. The fix was released in Chrome stable channel version 148.0.7778.168.

Defensive priority

medium

Recommended defensive actions

  • Update Google Chrome on Android devices to version 148.0.7778.168 or later
  • Monitor for unexpected browser crashes or GPU process terminations on Android Chrome installations
  • Apply security updates promptly as this vulnerability requires user interaction but has low attack complexity
  • Review mobile device management policies to ensure automatic Chrome updates are enabled for managed Android devices

Evidence notes

CVE published 2026-05-14; modified 2026-05-19. Vendor advisory confirms fix in Chrome 148.0.7778.168. Chromium issue tracker reference requires permissions to access full details. CPE configuration indicates vulnerability specific to Chrome on Android platform.

Official resources

2026-05-14