HIGH 8.8

CVE-2026-9923: Use-After-Free in Chrome Skia Graphics Engine (CVSS 8.8)

A use-after-free vulnerability exists in Skia, the graphics library used by Google Chrome. An attacker can exploit this flaw by hosting a specially crafted HTML page. If a user visits that page while running a vulnerable version of Chrome, the attacker may corrupt memory on the user's system, potentially leading to data theft, system compromise, or browser crashes. The vulnerability requires user interaction (visiting a malicious page) but no special privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9923 is a use-after-free (CWE-416) memory safety vulnerability in Skia, Chromium's 2D graphics engine. The flaw allows an attacker to reference memory that has already been freed, causing heap corruption. When triggered via a maliciously crafted HTML page delivered over the network, the vulnerability can be exploited without authentication or elevated privileges. The attack surface is broad—any website or web-based application the user visits becomes a potential delivery vector. Chromium has assigned this a High security severity rating.

Business impact

This vulnerability poses significant risk to organizations whose users rely on Chrome for web-based work or access to sensitive applications. Successful exploitation could enable credential theft, unauthorized access to business systems, malware installation, or data exfiltration from the user's machine. The low complexity of exploitation (network-only, no special setup required) and the requirement for only user interaction (following a link) mean that mass campaigns are feasible. Organizations without rapid patching processes face material risk of compromise through routine web browsing.

Affected systems

Google Chrome versions prior to 148.0.7778.216 are affected. This includes all stable, beta, and development releases below that version number across all platforms (Windows, macOS, Linux, Android, iOS). Users running older Chrome versions are at risk regardless of operating system or architecture. Organizations using Chrome enterprise deployments should verify their current patch level against the fixed version.

Exploitability

Exploitability is high. The attack requires only network connectivity and user interaction (visiting a malicious web page), with no prerequisite system access or social engineering beyond standard phishing/watering-hole tactics. No advanced exploit knowledge is needed from the attacker's perspective once the memory corruption primitive is understood. The attack surface includes any website the user might visit, making this a broadly exploitable class of vulnerability. As of the provided data, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting exploitation in the wild has not yet been confirmed; however, this should not reduce urgency given the straightforward attack model.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. This applies to all Chrome installations across consumer and enterprise environments. For Chrome Enterprise customers, use your policy management tools to enforce automatic updates or deploy the patched version to all managed devices. Verify successful patching by confirming the version string in Chrome's About page (chrome://about/). Users unable to update immediately should avoid visiting untrusted websites and consider using alternative browsers for critical tasks.

Patch guidance

Verify against Google's official Chrome release notes and security update advisories that the patched version is 148.0.7778.216 or later. Automated update mechanisms in modern Chrome versions should deploy this patch within 24–48 hours of release. For enterprise deployments: (1) confirm your update policy is enabled and set to install security patches immediately; (2) test patching in a non-production environment first if your organization has a staged rollout process; (3) monitor Chrome version telemetry to confirm fleet compliance. Organizations using older Chrome versions on locked-down systems should prioritize manual intervention to reach the fixed version.

Detection guidance

Monitor for Chrome version compliance across your organization using endpoint management tools or vulnerability scanning software. Look for hosts running Chrome versions before 148.0.7778.216. Check for any reported browser crashes or unusual memory access patterns in system logs around the time of potential exploitation attempts, though this may not yield reliable signals. Web proxy logs can flag access to known malicious HTML payloads if signatures are available from security vendors. Focus detection on high-value targets (finance, research, executive functions) if resources are limited. Verify patching status 48–72 hours after the security update was announced to ensure timely deployment.

Why prioritize this

This vulnerability merits immediate patching priority due to its high CVSS score (8.8), broad exploitability (network, low complexity, user interaction only), and potential for memory corruption leading to code execution. The graphics library it affects is loaded in nearly every browser session, maximizing exposure. While not yet in CISA's KEV catalog, the straightforward attack model and attractive payload delivery mechanism (any web page) suggest active exploitation is likely to follow quickly. Organizations should treat this as a critical patch with target deployment within 1–2 weeks.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) network attack vector requiring no authentication; (2) low attack complexity (straightforward HTML crafting); (3) user interaction required (visiting a page); (4) high impact on confidentiality, integrity, and availability through potential code execution or denial of service. The score does not account for real-world exploit availability or active campaigns; however, the underlying technical characteristics strongly suggest this vulnerability will be weaponized rapidly by competent threat actors.

Frequently asked questions

Do I need to worry about this if I use Chrome on mobile?

Yes. Chrome on both Android and iOS may be affected by this vulnerability. Ensure you update through your device's app store. iOS users should check the App Store for Chrome updates; Android users should enable automatic updates or manually check Google Play Store.

What if I'm using Chromium or a Chromium-based browser like Edge or Brave?

This vulnerability is specific to the Skia graphics engine as used in Chromium. Other Chromium-based browsers (Microsoft Edge, Brave, Opera) may also be affected if they use a vulnerable version of Chromium. Check each browser vendor's security advisory for their patch status and timeline.

Can attackers exploit this without me clicking anything?

No. The attack requires user interaction—specifically, visiting a malicious HTML page. However, that bar is low: a standard phishing link, compromised advertisement, or watering-hole attack on a legitimate site can deliver the exploit. Simply clicking a link in an email or seeing a malicious ad is sufficient.

Will antivirus software detect an attack against this vulnerability?

Antivirus tools are unlikely to detect the exploitation attempt itself, as the attack occurs within the browser's memory during rendering. However, some advanced endpoint detection and response (EDR) solutions may flag suspicious memory access patterns or process behavior following exploitation. The best defense is patching before exposure.

This analysis is provided for informational and educational purposes. The information herein is based on publicly available data as of the publication date and may not reflect all current threat intelligence or real-world exploitation activity. Always verify patch versions and patch availability against official vendor advisories before deploying. CVSS scores represent baseline technical severity and do not account for organizational context, threat landscape, or compensating controls. Consult your security team or a qualified vendor before making patching decisions in your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).