PatchSiren cyber security CVE debrief

CVE-2026-8574 Google CVE debrief

A use-after-free vulnerability in Google Chrome's Core component on Windows allows a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. The vulnerability requires user interaction and high attack complexity, but successful exploitation could lead to complete system compromise. Google has rated this as Medium severity per Chromium's internal scale, though NVD analysis assigns a CVSS 3.1 score of 8.3 (HIGH). The flaw was addressed in Chrome stable channel version 148.0.7778.168, released May 12, 2026. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-19
Advisory published: 2026-05-14
Advisory updated: 2026-05-19

Who should care

Windows enterprise administrators managing Chrome deployments; security teams monitoring browser-based attack chains; incident responders investigating renderer compromise followed by privilege escalation.

Technical summary

The vulnerability exists in Chrome's Core component where a use-after-free condition can be triggered via crafted HTML content. Exploitation requires prior compromise of the renderer process, typically achieved through a separate vulnerability. The sandbox escape vector elevates attacker privileges from renderer isolation to host system access. The fix was backported to stable channel release 148.0.7778.168. Attack complexity is high due to required renderer compromise and user interaction, but scope change (S:C) indicates impact beyond the vulnerable component.

Defensive priority

HIGH

Recommended defensive actions

Update Google Chrome to version 148.0.7778.168 or later on all Windows endpoints.
Verify automatic updates are enabled for Chrome in enterprise environments.
Monitor for unusual renderer process crashes or unexpected child process spawning from chrome.exe.
Apply principle of least privilege to limit impact of potential sandbox escapes.
Review Chrome component update policies to ensure timely security patch deployment.

Evidence notes

CVE description confirms use-after-free (CWE-416) in Chrome Core on Windows. NVD analysis published 2026-05-14, modified 2026-05-19. Chrome Release Notes dated 2026-05-12 confirm fix in version 148.0.7778.168. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H yields score 8.3. No KEV entry present.

Official resources

CVE-2026-8574 CVE record
CVE.org
CVE-2026-8574 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory, Release Notes
Source reference
[email protected] - Permissions Required

2026-05-14