PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9978 Google CVE debrief

A use-after-free vulnerability in Glic (Google's Linux Integrity Checker / related Chrome component) allows remote code execution inside the Chrome sandbox when a user visits a crafted HTML page. The flaw was fixed in Chrome 148.0.7778.216 for desktop. Google rates this as High severity. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no privileges required, user interaction required, and high impact to confidentiality, integrity, and availability. The underlying weakness is CWE-416 (Use After Free). No known exploitation in ransomware campaigns has been catalogued in CISA KEV.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations and individuals running Google Chrome on desktop platforms; security teams responsible for browser patching, endpoint protection, and web content filtering; enterprises with bring-your-own-device or remote workforce policies relying on Chrome for business applications.

Technical summary

The vulnerability exists in Glic, a Chrome component, where a use-after-free condition can be triggered by a malicious HTML page. A remote attacker can exploit this to execute arbitrary code within the Chrome sandbox. The attack requires user interaction (e.g., visiting a malicious page) but no privileges or local access. The fix was released in Chrome 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later for all supported desktop platforms (Windows, macOS, Linux).
  • Verify automatic update channels are enabled and have successfully applied the patch; if managed, push the update through enterprise deployment tools.
  • Restrict or monitor execution of untrusted HTML content and limit user browsing to trusted sites until patching is confirmed, as exploitation requires user interaction with a crafted page.
  • Review sandbox escape detection and monitoring capabilities, since the vulnerability achieves code execution inside the sandbox; ensure layered defenses can detect anomalous renderer or GPU process behavior.
  • For environments with extended patching timelines, consider browser isolation, site-blocking for untrusted categories, or application control policies that prevent execution of unpatched Chrome versions.

Evidence notes

CVE description and NVD record confirm use-after-free in Glic with sandboxed RCE via crafted HTML. CPE data shows affected product as Google Chrome versions prior to 148.0.7778.216 (and prior to 148.0.7778.215 in an additional CPE entry). CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H supports 8.8 score. Chromium issue 511741396 is marked Permissions Required. Chrome Releases blog entry provides vendor advisory context.

Official resources

2026-05-28