PatchSiren cyber security CVE debrief

CVE-2026-8580 Google CVE debrief

A use-after-free vulnerability in Mojo, Chrome's inter-process communication framework, enables remote sandbox escape via crafted HTML. The flaw affects Google Chrome versions prior to 148.0.7778.168. Google assigned Medium severity internally; NVD analysis yields CVSS 9.6 (Critical) based on network attack vector, low complexity, no privileges required, user interaction, scope change, and high impacts across confidentiality, integrity, and availability. The vulnerability was published on 2026-05-14 and last modified on 2026-05-19. No known exploitation in ransomware campaigns has been documented, and the issue is not listed in CISA KEV.

Vendor: Google
Product: Chrome
CVSS: CRITICAL 9.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-19
Advisory published: 2026-05-14
Advisory updated: 2026-05-19

Who should care

Organizations with unmanaged or consumer-grade Chrome deployments; security teams responsible for browser security baselines; incident response teams tracking browser exploitation chains.

Technical summary

The vulnerability resides in Mojo, Chrome's IPC system. A use-after-free condition allows a remote attacker to corrupt memory and escape the browser sandbox through malicious HTML content. Successful exploitation could lead to arbitrary code execution outside sandbox constraints. The fix was released in Chrome 148.0.7778.168.

Defensive priority

critical

Recommended defensive actions

Update Google Chrome to version 148.0.7778.168 or later immediately.
Verify browser version via chrome://settings/help and confirm update installation.
If immediate patching is not feasible, restrict browsing to trusted sites and disable JavaScript where operationally acceptable to reduce attack surface.
Monitor for unexpected browser crashes or sandbox escape indicators in endpoint detection logs.
Review application control policies to prevent execution of outdated Chrome binaries.

Evidence notes

CWE-416 (Use After Free) confirmed via NVD secondary source from [email protected]. Affected product versions identified through CPE criteria: google:chrome versions before 148.0.7778.168. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H sourced from NVD record.

Official resources

CVE-2026-8580 CVE record
CVE.org
CVE-2026-8580 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected] - Permissions Required

2026-05-14T20:17:20.367Z