PatchSiren cyber security CVE debrief
CVE-2026-9881 Google CVE debrief
A critical use-after-free vulnerability in Google Chrome's Bluetooth subsystem on macOS, fixed in version 148.0.7778.216. The flaw could enable sandbox escape via malicious Chrome extension installation.
- Vendor
- Product
- Chrome
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
macOS users running Google Chrome; organizations with Chrome browser deployments on Apple endpoints; security teams managing browser extension policies; incident responders investigating potential sandbox escape chains involving malicious extensions
Technical summary
CVE-2026-9881 is a use-after-free (CWE-416) vulnerability in the Bluetooth implementation of Google Chrome on macOS. The vulnerability exists in versions prior to 148.0.7778.216. An attacker could exploit this flaw by convincing a user to install a malicious Chrome extension, potentially achieving sandbox escape. The Chromium security team has assigned this a Critical severity rating. The vulnerability was addressed in the Chrome Stable Channel update released May 2026.
Defensive priority
critical
Recommended defensive actions
- Update Google Chrome on macOS to version 148.0.7778.216 or later
- Audit installed Chrome extensions and remove untrusted or unnecessary extensions
- Restrict extension installation through enterprise policies where applicable
- Monitor for unusual Bluetooth subsystem activity on managed macOS endpoints
Evidence notes
CVE published 2026-05-28; modified 2026-05-29. Chromium security severity rated Critical. Affects Chrome on Mac prior to 148.0.7778.216. CWE-416 (Use After Free) identified. No KEV listing. Vendor evidence from Google Chrome release notes and Chromium issue tracker.
Official resources
2026-05-28