CVE-2026-9945: Chrome Media Use-After-Free RCE on Windows
A use-after-free vulnerability exists in Google Chrome's media handling code on Windows systems. An attacker can craft a malicious HTML page that, when visited by a user, triggers the vulnerability to execute arbitrary code within Chrome's sandboxed environment. This requires user interaction (visiting a link or webpage) but no special privileges, making it a practical attack vector for compromised websites or phishing campaigns.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9945 is a use-after-free (CWE-416) flaw in Chrome's media subsystem affecting Windows deployments prior to version 148.0.7778.216. The vulnerability allows remote code execution within the Chrome sandbox via crafted HTML markup. The CVSS v3.1 score of 8.8 (HIGH) reflects the combination of network-based attack vector, low attack complexity, no privilege requirement, and user interaction as the sole precondition. While execution occurs in the sandbox, successful exploitation still permits reading, modifying, and disabling application functionality.
Business impact
Chrome users on Windows remain at risk of malware infection, data theft, and credential compromise through drive-by attacks on compromised or attacker-controlled websites. Organizations relying on Chrome for web access face potential data exfiltration and lateral movement staging points, particularly if sandbox escape techniques are chained with this vulnerability. Delayed patching extends the window for mass exploitation before users update.
Affected systems
Google Chrome on Windows versions prior to 148.0.7778.216 are affected. This spans millions of Windows users globally, including enterprise deployments where Chrome is used for web applications and cloud services. The vulnerability does not affect Chrome on macOS, Linux, or other platforms, nor does it affect other Chromium-based browsers unless they have independently merged the vulnerable code and backported it.
Exploitability
Exploitability is high in practice. An attacker needs only to host a malicious HTML page and direct users to it—no zero-click delivery, no network proximity requirement, and no authentication. The user interaction barrier is low: visiting a webpage qualifies. Once a victim lands on the page, the crafted media element can trigger the use-after-free condition and execute arbitrary code. The sandbox constraint limits but does not eliminate impact; sandbox escapes, though harder, have been demonstrated in the past.
Remediation
Update Google Chrome to version 148.0.7778.216 or later on all Windows systems. Verify update deployment through Chrome's automatic update mechanism or manual update prompts. Organizations should enforce Chrome updates via managed device policies (e.g., Group Policy on Windows domains) to ensure rapid coverage. Until patched, users should avoid untrusted websites and disable JavaScript if feasible for high-risk browsing.
Patch guidance
Google Chrome ships automatic updates; most users will receive version 148.0.7778.216 within hours of release. Enterprise administrators should verify rollout through Chrome Management console or by checking chrome://version on managed devices. For air-gapped or restricted environments, manually download the installer from Google's official update server. Test the patch on a non-critical system first to confirm media functionality (video playback in web applications) remains intact.
Detection guidance
Monitor Chrome crash logs and crash reports for segmentation faults or memory corruption patterns in the media component (look for module names like 'media_service.dll' or stack traces involving 'MediaService'). Endpoint detection and response (EDR) tools should flag unusual process execution spawned from Chrome or suspicious child processes. Network-based detection is limited unless you inspect encrypted TLS traffic; focus on identifying compromised websites distributing malicious HTML via threat intelligence feeds or web proxy logs showing visits to known-malicious domains.
Why prioritize this
This vulnerability merits high priority due to its high CVSS score (8.8), practical exploitability via simple user interaction, and lack of KEV status (meaning no in-the-wild active exploitation has yet been formally confirmed, but that does not lower the threat). The large installed base of Chrome on Windows means widespread risk. Immediate patching is justified to prevent opportunistic attacks while the exploit window remains narrow.
Risk score, explained
The CVSS v3.1 score of 8.8 (HIGH) reflects: network-based attack vector (AV:N) requiring no special network position; low attack complexity (AC:L) given the straightforward nature of hosting a malicious page; no privilege requirement (PR:N); mandatory user interaction (UI:R) as the sole gate; unchanged scope (S:U) with no privilege escalation beyond the user's own session; and high confidentiality, integrity, and availability impact (C:H/I:H/A:H) within the sandbox. The sandbox does not lower the CVSS score because the vector assumes impact to the affected resource (the browser process and its data).
Frequently asked questions
Does this vulnerability affect Chrome on macOS or Linux?
No. This use-after-free flaw is specific to the Windows implementation of Chrome's media handling. macOS and Linux users are not affected by CVE-2026-9945. However, both platforms should still maintain current Chrome versions to address other vulnerabilities.
Can this vulnerability be exploited without user interaction?
No. An attacker must persuade a user to visit a webpage hosting the crafted HTML. There is no zero-click or automatic trigger. This means phishing, watering hole attacks, or compromised ad networks are typical delivery mechanisms rather than passive network-based worms.
If I'm running Chrome in a sandbox, am I fully protected?
Chrome's built-in sandbox does contain the immediate damage from code execution, limiting access to the user's full system. However, sandboxes are not impenetrable; attackers often chain this vulnerability with a sandbox escape to gain fuller system access. Prompt patching removes the initial entry point and is your best defense.
What should I do if I suspect I visited a malicious page?
Update Chrome immediately to 148.0.7778.216 or later. Run a full system antivirus scan to check for any secondary malware. Review your browser history and recent logins; if credentials were stolen, reset passwords for critical accounts. Monitor accounts for suspicious activity over the next 30 days.
This analysis is provided for informational purposes to help security practitioners prioritize vulnerability response. We do not guarantee the accuracy of third-party vendor timelines or patch availability. Always verify patch deployment against official Google Chrome release notes and your organization's device management console. This vulnerability is not currently listed on CISA's KEV catalog, but absence from KEV does not indicate low risk; patches should be deployed promptly. SEC.co makes no warranty regarding exploit availability, detection rules, or real-world attack prevalence. Consult with your security team and vendor advisories before making operational decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability