PatchSiren cyber security CVE debrief
CVE-2026-9902 Google CVE debrief
A use-after-free vulnerability in Google Chrome's Accessibility component, rated High severity by Chromium security, enables sandbox escape from a compromised renderer process. The flaw was addressed in Chrome 148.0.7778.216.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations with Chrome deployments; security teams monitoring browser-based attack chains; incident responders investigating renderer compromises
Technical summary
CVE-2026-9902 is a use-after-free vulnerability (CWE-416) in the Accessibility component of Google Chrome. The flaw allows a remote attacker who has already compromised the renderer process to potentially escape the Chrome sandbox via a crafted HTML page. Chrome's multi-process architecture isolates web content in renderer processes with restricted privileges; sandbox escape represents escalation to broader system access. The vulnerability was remediated in Chrome Stable channel version 148.0.7778.216, released May 28, 2026. No CISA KEV listing is present as of the CVE modification date.
Defensive priority
high
Recommended defensive actions
- Update Google Chrome to version 148.0.7778.216 or later
- Verify browser version via chrome://settings/help
- Enable automatic updates for Chrome where organizational policy permits
- Review endpoint detection coverage for renderer process anomalies
- Monitor for unexpected browser crashes or accessibility service interactions
Evidence notes
CVE published 2026-05-28; modified 2026-05-29. Chrome Stable channel update released same day as CVE publication. Chromium bug tracker reference confirms issue classification.
Official resources
2026-05-28