PatchSiren cyber security CVE debrief

CVE-2026-8559 Google CVE debrief

CVE-2026-8559 is a high-severity integer overflow vulnerability in Google Chrome's Internationalization component on Windows, disclosed by Google on May 14, 2026. The flaw allows remote attackers to perform out-of-bounds memory writes via crafted HTML pages, potentially enabling code execution or browser compromise. Google rated this Chromium security severity as High, though NVD-assigned CVSS 3.1 scoring indicates Medium severity (4.3) with network attack vector, low attack complexity, and required user interaction. The vulnerability affects all Chrome versions prior to 148.0.7778.168 on Windows platforms. Google addressed this in the Stable channel update released May 12, 2026. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA KEV. Organizations should prioritize updating Chrome installations on Windows endpoints to version 148.0.7778.168 or later.

Vendor: Google
Product: Chrome
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-19
Advisory published: 2026-05-14
Advisory updated: 2026-05-19

Who should care

Organizations with Windows endpoints running Google Chrome; security teams managing browser update compliance; developers building web applications with internationalization features

Technical summary

An integer overflow in Chrome's Internationalization (i18n) component on Windows platforms allows out-of-bounds memory writes when processing specially crafted HTML content. The vulnerability stems from insufficient bounds checking during internationalization operations, enabling attackers to corrupt memory and potentially achieve arbitrary code execution within the browser sandbox. The attack requires user interaction (visiting a malicious page) but can be triggered remotely. Google patched this in Chrome 148.0.7778.168.

Defensive priority

high

Recommended defensive actions

Update Google Chrome on Windows systems to version 148.0.7778.168 or later
Verify Chrome auto-update is enabled for managed endpoints
Review browser version inventory for Windows devices running Chrome versions below 148.0.7778.168
Monitor for unexpected Chrome crashes or memory-related errors that may indicate exploitation attempts
Apply principle of least privilege for browser processes where feasible

Evidence notes

Vulnerability description and affected versions confirmed via NVD CPE data and Google Chrome Release blog. CVSS vector and severity ratings sourced from NVD. Chromium security severity rating of High per vendor advisory. Fix version 148.0.7778.168 confirmed in Chrome Stable channel release notes.

Official resources

CVE-2026-8559 CVE record
CVE.org
CVE-2026-8559 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Product, Vendor Advisory
Source reference
[email protected] - Permissions Required

2026-05-14