CVE-2026-9976 Google CVE debrief

Who should care

Organizations and individuals using Google Chrome versions prior to 148.0.7778.216 on Windows, macOS, or Linux should prioritize updating. Security teams managing browser deployments and those relying on WebUSB functionality should pay particular attention.

Technical summary

The vulnerability stems from an inappropriate implementation in the USB subsystem of Google Chrome. A remote attacker can exploit this flaw by convincing a user to visit a crafted HTML page, leading to arbitrary code execution. The attack requires no privileges and has low attack complexity, though user interaction is required. The confidentiality, integrity, and availability impacts are all rated High.

Defensive priority

high

Recommended defensive actions

• Upgrade Google Chrome to version 148.0.7778.216 or later on all supported platforms (Windows, macOS, Linux).
• Verify automatic update mechanisms are enabled and functioning for Chrome installations.
• Restrict or monitor use of WebUSB APIs where not required for business operations, as the vulnerability resides in the USB implementation.
• Apply security updates promptly given the High CVSS score and remote attack vector via crafted HTML pages.

Evidence notes

CVSS 3.1 score of 8.8 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. CWE-94 (Improper Control of Generation of Code) is listed as a secondary weakness. CPE configurations confirm Chrome versions below 148.0.7778.216 are vulnerable across Windows, macOS, and Linux platforms.

Official resources