PatchSiren cyber security CVE debrief
CVE-2026-9888 Google CVE debrief
A critical use-after-free vulnerability in WebView on Google Chrome for Android, disclosed 2026-05-28, enables sandbox escape from a compromised renderer process. The flaw (CWE-416) affects versions prior to 148.0.7778.216. No known exploitation in the wild has been confirmed.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Android device administrators, mobile application developers using WebView, enterprise mobility management teams, and security operations centers monitoring mobile threat landscape.
Technical summary
The vulnerability exists in the WebView component of Google Chrome on Android, where improper memory management leads to a use-after-free condition. An attacker who has already achieved code execution in the renderer process can leverage this flaw to escape the browser sandbox. This represents a critical severity issue due to the potential for full device compromise following initial renderer compromise. The fix was released in Chrome 148.0.7778.216.
Defensive priority
critical
Recommended defensive actions
- Update Google Chrome on Android to version 148.0.7778.216 or later
- Monitor for Android WebView component updates via Google Play System Updates
- Review application WebView usage for untrusted content rendering
- Enable site isolation and sandboxing policies where supported
- Monitor CISA KEV for future exploitation confirmation
Evidence notes
Official Chrome release notes and Chromium issue tracker confirm the vulnerability class and affected platform. CVSS score pending NVD analysis.
Official resources
2026-05-28