CVE-2026-9887: Critical Use-After-Free in Google Chrome Proxy Handler
A memory safety bug in Google Chrome's proxy handling system allows an attacker to craft a malicious Proxy Auto-Config (PAC) script that, when processed by the browser, causes the application to reference memory that has already been freed. This use-after-free condition can be leveraged to execute arbitrary code on a user's system. The vulnerability requires user interaction—specifically, the victim must visit a website or be directed to load a PAC script—but no special privileges are needed from the attacker's perspective. Chrome versions prior to 148.0.7778.216 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in Proxy in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted PAC script. (Chromium security severity: Critical)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9887 is a use-after-free vulnerability (CWE-416) in the Proxy component of Chromium-based browsers, specifically Google Chrome. The flaw occurs when a specially crafted PAC script is processed, leading to a dangling pointer condition. After memory is freed, the proxy handler continues to reference that location, allowing an attacker to corrupt heap state or execute code within the Chrome sandbox. The vulnerability is classified as Critical by Chromium's security team and carries a CVSS v3.1 score of 8.8 (High), reflecting the combination of network-based attack delivery, low complexity, requirement for user interaction, and high confidentiality, integrity, and availability impact. The attack surface is limited to scenarios where a PAC script is loaded—either through organizational policy, ISP interception, or compromise of a proxy configuration endpoint.
Business impact
Organizations using Chrome in environments where PAC scripts are deployed face remote code execution risk. If an attacker can inject or intercept PAC script delivery—through DNS hijacking, BGP interception, or compromise of a WPAD server—they can execute code in the context of the browser user. This is particularly concerning for enterprises that route proxy configuration through internal servers or for individuals in regions where network-level filtering is prevalent. The breach could lead to credential theft, malware installation, lateral movement into corporate networks, or data exfiltration. The requirement for user interaction somewhat limits risk compared to wormable network exploits, but the ease of delivering a malicious PAC makes this a medium-to-high business concern for most organizations.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are directly affected. The vulnerability also impacts Chromium-based browsers built on vulnerable versions of the Chromium engine. Affected platforms include Microsoft Windows, Apple macOS, and Linux systems. End-user devices, developer workstations, and any system running a vulnerable Chrome version are at risk. Organizations using Chrome as a managed browser or standard client should prioritize patching all affected instances. Malicious PAC scripts could also affect other Chromium derivatives depending on their update cadence.
Exploitability
Exploitation requires crafting a malicious PAC script and ensuring it is loaded by the target's browser. The attacker must either compromise a WPAD (Web Proxy Auto-Discovery) server, intercept PAC delivery at the network level, or socially engineer a user into loading a PAC file from a malicious source. Real-world exploitability depends on environmental factors: in corporate networks with properly secured proxy infrastructure, risk is lower; in less controlled environments or where PAC files are fetched over HTTP (rather than HTTPS), risk is higher. The vulnerability does not require local access or elevated privileges. A working exploit would likely use heap spray or other heap manipulation techniques to achieve reliable code execution from within Chrome's sandbox context. Public exploit code has not been reported as of the last update to this record.
Remediation
Update Google Chrome to version 148.0.7778.216 or later. Users should enable automatic updates to receive patches as soon as they are released. Organizations should use device management tools (MDM/EMM) to enforce Chrome updates across their fleet. Until patching is complete, disable or verify the integrity of PAC script sources; if possible, use hardcoded proxy configurations over auto-discovery. Monitor for suspicious PAC file modifications or unexpected proxy configuration changes.
Patch guidance
Google has released Chrome 148.0.7778.216 as the fixed version. Patch deployment should be prioritized for any user-facing systems or devices with internet access. Verify against the official Google Chrome release notes and security advisory to confirm patch version applicability. For managed Chrome deployments, use the Chrome Enterprise policy to configure automatic updates or force an immediate update cycle. Rollout should proceed immediately given the Critical severity designation from Chromium's security team and the availability of a fix.
Detection guidance
Monitor for unusual PAC script modifications, unexpected proxy configuration changes, or PAC files served over unencrypted channels. Check Chrome process memory for signs of heap corruption or use-after-free exploits (via EDR tools capable of analyzing Chrome sandbox behavior). Log proxy configuration requests and validate that PAC scripts come from trusted, authenticated sources. Implement network monitoring to detect WPAD requests or DNS queries associated with known malicious domains. Monitor for Chrome crashes correlated with proxy activity—a common symptom of use-after-free exploitation attempts.
Why prioritize this
Although the vulnerability requires user interaction, its Critical designation by Chromium, network-accessible attack surface, and potential for reliable code execution place it in the high-priority patch category. The prevalence of Chrome in enterprise and consumer environments, combined with the relative ease of injecting malicious PAC scripts in some network scenarios, makes this a significant risk. Organizations should treat this as a P1 remediation item, particularly those with centralized proxy infrastructure or less mature network security controls.
Risk score, explained
The CVSS 8.8 (High) score reflects: (1) network-based attack vector—no local access required; (2) low attack complexity—crafting a malicious PAC script requires moderate technical skill but no exotic exploitation techniques; (3) required user interaction—the user must load a website or PAC file that triggers the vulnerability; (4) unchanged scope—impact is limited to the Chrome sandbox; and (5) high CIA impact—arbitrary code execution within the browser grants full read/write access to browser memory, stored credentials, and local files accessible to the user. The score appropriately captures the serious but somewhat contained nature of the risk.
Frequently asked questions
Do I need to do anything if I have Chrome set to auto-update?
Chrome's auto-update feature should deliver version 148.0.7778.216 automatically within days of release. You can verify your version by going to chrome://settings/help. However, it is wise to manually check and restart Chrome to ensure the update is applied, particularly in organizations where update deployment is controlled centrally.
Is my data at risk if I update Chrome?
No. Updating to the patched version is the primary mitigation. The vulnerability exists in unpatched versions; the patch removes the use-after-free condition. There is no additional risk from patching—it is the path to safety.
What if my organization uses a custom PAC script?
Custom PAC scripts deployed through enterprise policy are safe as long as they are not modified by an attacker. If you deploy PAC scripts, ensure they are delivered over HTTPS with authentication, signed if possible, and validated for integrity. If your infrastructure is compromised or if PAC files are served over HTTP, the risk increases. Audit your PAC delivery mechanism as part of remediation.
Can this vulnerability be exploited offline?
No. The vulnerability requires a malicious PAC script to be loaded by Chrome. This necessitates either a compromised or attacker-controlled proxy configuration source, or delivery via the network. Offline systems not connecting to the internet or systems that do not use PAC scripts are not affected.
This analysis is provided for informational purposes to aid security decision-making. The vulnerability details, patch information, and platform applicability are derived from official vendor advisories and public threat intelligence. Verify all patch versions, affected product versions, and deployment guidance against current vendor documentation before implementation. No guarantee is made regarding the completeness or real-time accuracy of this assessment. SEC.co recommends consulting your security team and the official Google Chrome security advisory for authoritative guidance on remediation timelines and testing procedures specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance