PatchSiren cyber security CVE debrief
CVE-2026-8575 Google CVE debrief
Use-after-free vulnerability in Google Chrome's UI component, enabling sandbox escape from compromised renderer process.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-19
Who should care
Enterprise security teams managing Chrome deployments; organizations with high-risk browsing profiles; incident responders investigating browser-based compromise chains.
Technical summary
A use-after-free condition in Chrome's UI component allows an attacker who has already compromised the renderer process to escape the browser sandbox. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), but successful exploitation yields complete confidentiality, integrity, and availability impact with scope change (S:C). The fix was released in Chrome 148.0.7778.168.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Google Chrome to version 148.0.7778.168 or later.
- Verify browser auto-update is enabled and functioning.
- Monitor for unexpected renderer crashes or sandbox escape indicators in enterprise endpoint telemetry.
- Restrict execution of untrusted HTML content in isolated environments where patching is delayed.
Evidence notes
CVE published 2026-05-14; NVD entry modified 2026-05-19. Vendor advisory confirms fix in Chrome 148.0.7778.168. Chromium issue tracker reference requires permissions. CVSS 8.3 (HIGH) per NVD vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. CWE-416 (Use After Free) assigned by Google. Not listed in CISA KEV.
Official resources
-
CVE-2026-8575 CVE record
CVE.org
-
CVE-2026-8575 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
2026-05-14