PatchSiren cyber security CVE debrief

CVE-2026-8569 Google CVE debrief

CVE-2026-8569 is an out-of-bounds write flaw in Chrome’s code handling on macOS that could let a remote attacker potentially escape the browser sandbox by getting a victim to open a crafted video file. The issue is assigned Chromium security severity Medium, but the NVD-assigned CVSS score is 8.3 (High), so it should be treated as a priority patch for managed Chrome deployments on Mac.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-21
Advisory published: 2026-05-14
Advisory updated: 2026-05-21

Who should care

Security teams managing Chrome on macOS, endpoint administrators, and users who may open untrusted video content in the browser. Because exploitation requires user interaction and a crafted file, fleets with broad browser exposure or external-content workflows should prioritize remediation.

Technical summary

NVD records the vulnerable product as Google Chrome versions prior to 148.0.7778.168, with the issue described as an out-of-bounds write in Chrome codecs on Mac. The published CVSS vector is AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating remote reachability with required user interaction and potential impact beyond the browser sandbox. The associated weakness mapping is CWE-787 (out-of-bounds write).

Defensive priority

High. Even though Chromium labels the issue Medium, the combination of remote exposure, user interaction, and possible sandbox escape makes prompt patching appropriate for Chrome installations on Mac.

Recommended defensive actions

Update Google Chrome on macOS to 148.0.7778.168 or later.
Verify managed browser fleets are not pinned to an affected pre-148.0.7778.168 build.
Treat untrusted or externally sourced video files as higher risk until patching is complete.
Prioritize remediation on endpoints that routinely browse unknown content or handle media from outside trusted workflows.
Track the linked Chrome release advisory and Chromium issue for any follow-up guidance.

Evidence notes

The NVD record cites Google’s Chrome release advisory (Stable Channel Update for Desktop, May 2026) and Chromium issue 490229299 as references. The vulnerability description states the flaw affects Google Chrome on Mac prior to 148.0.7778.168 and could enable a sandbox escape via a crafted video file. NVD’s CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, and the mapped weakness is CWE-787. NVD’s CPE data marks Google Chrome as vulnerable and macOS itself as not vulnerable, supporting the interpretation that the issue is in Chrome running on Mac rather than in macOS.

Official resources

CVE-2026-8569 CVE record
CVE.org
CVE-2026-8569 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected] - Permissions Required

Publicly disclosed in NVD on 2026-05-14 and last modified on 2026-05-21.