CVE-2026-9992 Google CVE debrief

Who should care

Organizations with Chrome deployments on desktop platforms; security teams managing browser update cadence; endpoint protection teams monitoring for browser-based exploitation.

Technical summary

CVE-2026-9992 is a use-after-free (CWE-416) in Chrome's Network subsystem. A remote attacker can exploit the flaw by inducing a user to load a malicious HTML page, resulting in arbitrary code execution within the browser sandbox. The vulnerability is network-exploitable with user interaction required and no privileges needed. Google patched it in Chrome 148.0.7778.216; earlier versions on Windows, macOS, and Linux are affected. No known exploitation in ransomware campaigns (not listed in CISA KEV).

Defensive priority

high

Recommended defensive actions

• Update Google Chrome to version 148.0.7778.216 or later on all supported desktop platforms (Windows, macOS, Linux).
• Verify automatic update mechanisms are enabled and functioning for managed Chrome deployments.
• If immediate patching is not feasible, restrict users from visiting untrusted websites and disable JavaScript where operationally acceptable, noting this may not fully eliminate risk given the Network component attack表面.
• Monitor for anomalous browser crashes or unexpected sandbox escape indicators on endpoints running unpatched Chrome versions.
• Review Chromium security advisories for additional stable-channel fixes released concurrently.

Evidence notes

CVE published 2026-05-28; NVD entry modified 2026-05-29. Vendor advisory confirms fix in Chrome 148.0.7778.216. Chromium bug tracker entry 513177826 is restricted (Permissions Required). CPE data indicates affected product is Google Chrome versions prior to 148.0.7778.216 on Windows, macOS, and Linux. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. CWE-416 (Use After Free) identified.

Official resources