PatchSiren cyber security CVE debrief

CVE-2026-8571 Google CVE debrief

A sandbox escape vulnerability in Google Chrome on Android, stemming from insufficient policy enforcement in the GPU component. A remote attacker who has already compromised the renderer process could leverage this flaw to escape the browser sandbox via a crafted HTML page. The vulnerability affects Chrome versions prior to 148.0.7778.168 on Android. Google has assigned this a Medium severity rating, while NVD's CVSS 3.1 scoring reflects a HIGH severity (8.3) due to the potential for complete confidentiality, integrity, and availability impact within the changed scope. The issue was addressed in the May 2026 stable channel update.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-19
Advisory published: 2026-05-14
Advisory updated: 2026-05-19

Who should care

Organizations with Android device fleets using Chrome for business browsing; mobile security teams; BYOD environments; users handling sensitive data on Android Chrome browsers

Technical summary

The vulnerability exists in Chrome's GPU process policy enforcement on Android. An attacker with renderer process compromise can craft malicious HTML to bypass sandbox restrictions. The fix was released in Chrome 148.0.7778.168. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. CWE-693 (Protection Mechanism Failure) identified as weakness type.

Defensive priority

high

Recommended defensive actions

Update Google Chrome on Android devices to version 148.0.7778.168 or later
Prioritize patching for devices where users browse untrusted web content
Monitor for signs of renderer process compromise as potential precursor to exploitation
Review application sandboxing controls for mobile browser deployments
Consider implementing site isolation policies to limit renderer compromise impact

Evidence notes

CVE published 2026-05-14; modified 2026-05-19. Vendor advisory confirms fix in Chrome 148.0.7778.168. Chromium issue tracker reference requires permissions to view full details. CPE indicates vulnerability affects Chrome on Android specifically.

Official resources

CVE-2026-8571 CVE record
CVE.org
CVE-2026-8571 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory, Release Notes
Source reference
[email protected] - Permissions Required

2026-05-14