PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9970 Google CVE debrief

A use-after-free vulnerability in WebGL within Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox. The vulnerability carries a High severity rating per Chromium's security classification and a CVSS 3.1 score of 8.3 (HIGH). The issue was published in the NVD on May 28, 2026, with a subsequent modification on May 29, 2026; the vulnerability remains under analysis by NVD. The underlying weakness is CWE-416 (Use After Free). No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Google Chrome in environments where browser sandbox escapes could lead to system compromise; security teams responsible for browser patch management and endpoint protection.

Technical summary

The vulnerability is a use-after-free condition in Chrome's WebGL implementation. An attacker who has already achieved renderer process compromise can trigger the flaw using a crafted HTML page, potentially escaping the browser sandbox and elevating privileges. The attack requires user interaction (UI:R) and has high attack complexity (AC:H), but network exploitation is possible (AV:N) with no privileges required (PR:N). The scope is changed (S:C) with high impacts to confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later as provided in the Stable Channel update.
  • Apply security updates promptly due to the sandbox escape potential and High severity rating.
  • Restrict execution of untrusted HTML content and maintain renderer process isolation controls as defense-in-depth.
  • Monitor for future KEV listing or active exploitation reports given the sandbox escape impact.

Evidence notes

The CVE description and NVD metadata confirm the vulnerability class (use-after-free in WebGL), affected product and version boundary (Google Chrome prior to 148.0.7778.216), attacker prerequisites (renderer process compromise), and potential impact (sandbox escape). The CVSS vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H supports the 8.3 score. Chromium's security severity is rated High. NVD vulnStatus is 'Undergoing Analysis' as of the May 29, 2026 modification timestamp.

Official resources

Google Chrome Stable Channel update