PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9123 Google CVE debrief

CVE-2026-9123 is a heap buffer overflow in Chromecast functionality in Google Chrome on Android, Linux, and ChromeOS. According to the CVE description, versions prior to 148.0.7778.179 could let a local attacker use malicious network traffic to execute arbitrary code inside a sandbox. The NVD record classifies the issue as high severity (CVSS 7.5), while the Chromium severity label in the source metadata is Medium. The safest interpretation is that this is a browser-update priority issue for any environment running the affected Chrome builds.

Vendor
Google
Product
Chrome
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Organizations that manage Chrome on Android, Linux, or ChromeOS; teams responsible for browser patching; endpoint security and fleet management teams; and users who rely on Chromecast-related browser functionality. Because the issue is triggered through network traffic and affects a widely deployed browser component, it should be treated as a prompt remediation item.

Technical summary

The source record identifies a heap-based buffer overflow (CWE-122) in Chromecast in Google Chrome. The affected scope is Chrome on Android, Linux, and ChromeOS before 148.0.7778.179. The CVE description says a local attacker could reach arbitrary code execution inside a sandbox via malicious network traffic. NVD metadata provides the CVSS v3.1 vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates adjacent-network attack conditions with no privileges or user interaction but high complexity. The issue is tracked in Chromium’s bug system and tied to a Chrome stable-channel update reference in the provided source metadata.

Defensive priority

High

Recommended defensive actions

  • Upgrade Google Chrome to version 148.0.7778.179 or later on Android, Linux, and ChromeOS.
  • Prioritize patching managed browser fleets and confirm rollout completion across endpoints.
  • Review asset inventories for any devices that may be pinned to older Chrome builds or delayed update channels.
  • Monitor browser update compliance and alert on endpoints still reporting versions earlier than 148.0.7778.179.
  • Treat the Chromium issue and Chrome stable-channel update references as the authoritative source trail for vendor guidance.

Evidence notes

This debrief is based only on the supplied NVD record, the CVE description, and the official reference URLs listed in the source metadata. The vendor attribution in the prompt is low-confidence and should be treated as needing review. No exploit details, reproduction steps, or additional unverified facts were added. The reference URLs were not expanded beyond their provided identity in the source corpus.

Official resources

Published by NVD and the CVE record on 2026-05-20T20:16:45.170Z. The supplied source metadata ties the issue to Chrome stable-channel guidance and a Chromium issue reference.