PatchSiren cyber security CVE debrief
CVE-2026-9114 Google CVE debrief
CVE-2026-9114 is a high-severity use-after-free in Google Chrome’s QUIC handling. According to the published description, a remote attacker could trigger the flaw with malicious network traffic and potentially achieve arbitrary code execution inside the browser sandbox on affected versions prior to 148.0.7778.179.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Organizations that manage or rely on Google Chrome on desktop systems should prioritize this issue, especially browser security teams, enterprise endpoint administrators, and users who may browse untrusted networks or content. Because the flaw is remotely reachable through network traffic, it matters even in environments without local access.
Technical summary
The issue is described as a use-after-free in QUIC, which is a memory-safety flaw class that can lead to code execution if an attacker can influence object lifetime and memory reuse. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network exploitability with required user interaction and potentially severe impact. The published record also maps the weakness to CWE-416 and identifies the fixed Chrome version as 148.0.7778.179.
Defensive priority
High. The combination of remote exposure, memory-corruption potential, and code-execution impact makes this a priority browser update for managed fleets and high-risk users.
Recommended defensive actions
- Update Google Chrome to 148.0.7778.179 or later as soon as possible.
- Verify that enterprise browser management and patch compliance systems have picked up the fixed release.
- Treat untrusted or unexpected network traffic as potentially relevant to this issue until patched.
- Monitor Chromium and vendor advisories for any follow-up guidance or clarification tied to the issue and release.
- If you maintain a browser hardening baseline, confirm Chrome auto-update is enabled and functioning across endpoints.
Evidence notes
This debrief is based on the supplied NVD record and its cited Chromium/Google references. The record states the vulnerability is a use-after-free in QUIC affecting Google Chrome prior to 148.0.7778.179, with remote exploitation via malicious network traffic and sandboxed code execution impact. The source metadata also lists CWE-416 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. No additional exploit details were used.
Official resources
-
CVE-2026-9114 CVE record
CVE.org
-
CVE-2026-9114 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
Publicly disclosed on 2026-05-20 in the NVD record, which references a Google Chrome stable channel update and a Chromium issue for the affected flaw.