CVE-2026-9120 Google CVE debrief

Who should care

Organizations that deploy or manage Google Chrome on desktop systems should treat this as urgent, especially if users regularly browse untrusted web content. Security teams, endpoint administrators, and anyone responsible for browser patching and update enforcement should prioritize it.

Technical summary

The issue is identified as CWE-416 (use after free) in Chrome’s WebRTC component. The CVE details indicate exploitation via a crafted HTML page, which makes the flaw reachable from the web without authentication. The provided CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High), consistent with a browser-based remote code execution risk where successful exploitation depends on user interaction.

Defensive priority

High. This is a remotely reachable browser memory-safety flaw with code execution impact. Patch prioritization should be immediate for systems running affected Chrome versions, particularly user-facing endpoints that may encounter untrusted pages.

Recommended defensive actions

• Update Google Chrome to 148.0.7778.179 or later as soon as practical.
• Verify that browser auto-update is enabled and functioning across managed endpoints.
• Prioritize remediation for users who browse external or untrusted sites regularly.
• Monitor fleet compliance for Chrome version drift and confirm the fixed build is deployed.
• Treat suspicious HTML/content delivery to browsers as a potential attack vector until patching is complete.

Evidence notes

All claims are grounded in the supplied NVD record and its cited Google sources. The CVE description states: use-after-free in WebRTC in Google Chrome prior to 148.0.7778.179, remote attacker, arbitrary code, crafted HTML page. NVD also records CWE-416 and the CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. No exploitation prevalence, weaponization, or campaign claims are included because none were provided.

Official resources