PatchSiren cyber security CVE debrief
CVE-2026-9964 Google CVE debrief
A use-after-free vulnerability in the Bluetooth subsystem of Google Chrome on macOS allows arbitrary code execution when a user installs a malicious Chrome extension. The flaw, rated High severity by Chromium, exists in Chrome versions prior to 148.0.7778.216. The CVSS 3.1 score of 8.1 reflects high impact to confidentiality, integrity, and availability despite requiring high attack complexity. The vulnerability was published in the NVD on May 28, 2026, and modified on May 29, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations with macOS endpoints running Google Chrome, particularly those allowing user-managed extensions. Security teams responsible for browser hardening, extension governance, and endpoint protection on Apple platforms.
Technical summary
The vulnerability is a use-after-free (CWE-416) in Chrome's Bluetooth implementation on macOS. Trigger requires user installation of a malicious Chrome extension, which then leverages a crafted sequence to exploit the memory corruption flaw. Successful exploitation yields arbitrary code execution in the browser context. The fix is contained in Chrome stable release 148.0.7778.216. Attack vector is network-based with high complexity, no privileges required, no user interaction beyond extension installation, and scope remains unchanged.
Defensive priority
high
Recommended defensive actions
- Update Google Chrome to version 148.0.7778.216 or later on macOS systems.
- Restrict installation of Chrome extensions to trusted sources and enterprise-approved catalogs.
- Monitor for unusual Bluetooth subsystem activity or unexpected extension behavior on managed macOS endpoints.
- Review extension permissions and remove unneeded or unrecognized extensions.
Evidence notes
The NVD record identifies CWE-416 (Use After Free) as the weakness type. CPE data indicates the vulnerable product is Google Chrome on macOS, with the non-vulnerable platform being Apple macOS itself. The Chrome release notes and Chromium issue tracker provide authoritative technical sourcing. Vendor attribution to Apple in the source data carries medium confidence per NVD CPE analysis; the vulnerability is in Google Chrome's Bluetooth implementation running on macOS.
Official resources
-
CVE-2026-9964 CVE record
CVE.org
-
CVE-2026-9964 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Source reference
[email protected] - Permissions Required
Google Chrome Stable Channel update for desktop released May 2026