CVE-2026-9933 Google CVE debrief

Who should care

Organizations with unmanaged or broadly deployed Chrome installations; security teams tracking browser-based initial-access vectors; desktop support teams responsible for patch cadence.

Technical summary

CVE-2026-9933 is a use-after-free vulnerability in the Input component of Google Chrome. A remote attacker can craft a malicious HTML page and induce a victim to perform specific UI gestures, potentially triggering heap corruption. Successful exploitation could lead to arbitrary code execution within the Chrome sandbox. The flaw is fixed in Chrome 148.0.7778.216. The CVSS v3.1 score is 7.5 (High), with attack complexity rated High and user interaction required.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome to version 148.0.7778.216 or later on all endpoints.
• If immediate patching is not feasible, restrict users from visiting untrusted websites and disable JavaScript where operationally acceptable, noting that this may not fully eliminate risk given the UI-gesture requirement
• Monitor for unexpected Chrome crashes or memory-corruption indicators that could signal exploitation attempts
• Review endpoint detection and response (EDR) telemetry for suspicious child processes spawned from Chrome after user interaction with untrusted HTML content

Evidence notes

CWE-416 (Use After Free) assigned by Google. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H yields 7.5. Affected versions confirmed below 148.0.7778.216 per NVD CPE data. Vendor advisory and Chromium bug tracker both list Google as source.

Official resources