PatchSiren cyber security CVE debrief

CVE-2026-9887 Google CVE debrief

A critical use-after-free vulnerability in Google Chrome's Proxy component, triggered by crafted PAC (Proxy Auto-Configuration) scripts, enables remote code execution. The flaw resides in how Chrome handles memory management during proxy configuration processing. Attackers can exploit this by delivering malicious PAC scripts through network positioning or compromised infrastructure. The vulnerability affects Chrome versions prior to 148.0.7778.216. Chrome's stable channel update released May 28, 2026 addresses this issue. Organizations should prioritize patching given the critical severity rating and remote attack vector.

Vendor: Google
Product: Chrome
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations using Google Chrome for business operations, security teams managing browser deployments, and users relying on proxy auto-configuration for network access.

Technical summary

Use-after-free condition in Chrome's Proxy component when processing PAC scripts. Memory corruption allows attacker-controlled code execution in browser context. Triggered via malicious PAC script delivery.

Defensive priority

critical

Recommended defensive actions

Update Google Chrome to version 148.0.7778.216 or later immediately
Verify automatic updates are enabled for Chrome in enterprise environments
Audit and review PAC script sources in use across the organization
Consider network segmentation to limit PAC script delivery vectors
Monitor for anomalous proxy configuration changes
Review Chrome security advisories for additional hardening guidance

Evidence notes

CVE published 2026-05-28; modified 2026-05-29. Chromium security severity rated Critical. CWE-416 (Use After Free) confirmed by [email protected]. Affects Chrome Proxy component via crafted PAC script vector.

Official resources

2026-05-28