CVE-2026-9961: Critical Chrome Use-After-Free in SurfaceCapture – Patch Now
A use-after-free memory vulnerability exists in Google Chrome's SurfaceCapture component that allows attackers to corrupt heap memory. An attacker can craft a malicious HTML page that, when visited by a user, triggers the flaw to potentially execute arbitrary code with the privileges of the Chrome process. The vulnerability requires user interaction (visiting a malicious site) but has high impact once triggered.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in SurfaceCapture in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9961 is a use-after-free vulnerability (CWE-416) in the SurfaceCapture module of Chromium. The flaw occurs when SurfaceCapture fails to properly manage object lifetime, allowing a reference to freed memory to be accessed and written to during subsequent operations. A remote attacker can supply a specially crafted HTML document that triggers this condition, leading to heap corruption. The vulnerability was patched in Chrome version 148.0.7778.216. The CVSS 3.1 score of 8.8 reflects the high severity: network-exploitable with low attack complexity, no privilege requirement, user interaction needed, and potential for confidentiality, integrity, and availability impact.
Business impact
This vulnerability poses significant risk to organizations whose employees use Chrome as a primary browser. Successful exploitation could allow attackers to gain code execution on employee workstations, potentially leading to data theft, lateral movement within networks, or installation of persistent malware. The attack surface is broad—any user visiting a compromised or attacker-controlled website could be targeted. Organizations relying on Chrome for web-based tools or accessing cloud services are particularly exposed until patching is complete.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are affected. The vulnerability impacts Chrome running on multiple operating systems: Windows, macOS, and Linux. All three platforms are equally vulnerable to the memory corruption condition when the affected Chrome version is in use. Organizations should inventory Chrome deployments across all endpoints regardless of OS distribution.
Exploitability
Exploitation is relatively straightforward from an attacker perspective: a malicious HTML page is sufficient to trigger the vulnerability. No special network conditions or authentication are required. The primary barrier is user interaction—the target must visit the attacker's page or a compromised legitimate site. Given the prevalence of drive-by download attacks and social engineering, this represents a practical threat. The vulnerability is not known to be actively exploited in the wild based on KEV status, but the low attack complexity and high impact make it attractive for weaponization.
Remediation
Update Google Chrome to version 148.0.7778.216 or later immediately. Chrome typically auto-updates, but users should verify they are on the latest version by navigating to Chrome menu > About Chrome, which will prompt an automatic update if available. Organizations with managed Chrome deployments should verify update policies are enforced and monitor deployment status. No workarounds exist for unpatched versions other than avoiding untrusted websites or disabling SurfaceCapture features if possible through enterprise policy.
Patch guidance
Organizations should prioritize updating Chrome across all endpoints to version 148.0.7778.216 or later. For managed environments, verify that auto-update policies are active or deploy updates through your device management system (e.g., Intune, Jamf, workspace management tools). Test updates in a small cohort first to ensure no compatibility issues with internal web applications. Establish a tracking mechanism to confirm deployment success across all managed Chrome instances. Users on personal devices should be encouraged to enable auto-update and manually check for updates if they have not been automatically applied.
Detection guidance
Monitor endpoint telemetry for Chrome process crashes or unexpected child process spawning, which may indicate exploitation attempts. Network-based detection is limited since the malicious payload is typically embedded in HTML or JavaScript. Consider monitoring for indicators of compromise post-exploitation: unusual network connections from Chrome processes, suspicious file writes to temporary directories, or behavioral anomalies following a user's web browsing session. Implement application whitelisting rules to restrict unsigned processes spawned by Chrome. Log and alert on Chrome version inventory to identify outdated instances.
Why prioritize this
This vulnerability warrants high priority due to its CVSS score of 8.8, broad attack surface (any Chrome user), achievable exploitation via simple HTML, and potential for severe impact (code execution). While not yet in the public KEV catalog, the combination of low attack complexity and high impact makes it likely to be targeted soon. Browser vulnerabilities are frequently exploited in targeted attacks and watering hole campaigns. Organizations should treat this as a critical update within their Chrome estate.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-exploitable attack vector with no special privilege or authentication required; low attack complexity (a crafted HTML page is sufficient); user interaction required (user must visit the malicious page); unchanged scope; and high impact across confidentiality, integrity, and availability (potential heap corruption leading to code execution). The score appropriately weights the practical exploitability against the significant potential damage, positioning this as a critical patch for most organizations.
Frequently asked questions
Does Chrome auto-update? Will my users be protected automatically?
Chrome auto-updates in the background and will restart the browser to apply new versions. However, if a user has Chrome pinned open across sessions, the update may not take effect immediately. Users should be advised to restart their browser or the system to ensure version 148.0.7778.216 is active. IT teams should verify deployment success rather than assuming auto-update has reached all devices.
What is SurfaceCapture and who needs to be concerned?
SurfaceCapture is a Chromium component that handles screen and window capture for features like screen sharing and recording. Most users are affected simply by running Chrome; they don't need to explicitly use capture features for the vulnerability to exist. However, exploitation typically requires a user to visit a malicious page, so organizations where employees browse untrusted sites or receive targeted phishing are at higher risk.
Is this vulnerability being actively exploited?
As of the published date, this vulnerability is not listed on the CISA KEV catalog, indicating no confirmed active exploitation in the wild. However, the low barrier to exploitation and high potential impact mean organizations should not delay patching based on this status. Threat actors often exploit high-severity browser vulnerabilities quickly after public disclosure.
Can we block this vulnerability at the network level without patching Chrome?
Network-based blocking is difficult because the attack is delivered via standard HTTPS traffic (a crafted HTML page). Web content filtering or blocking known malicious domains can reduce risk, but cannot prevent exploitation from zero-day or previously-uncompromised attacker sites. Patching remains the only reliable defense. Enterprise policies restricting browsing to approved sites can reduce exposure in highly controlled environments.
This analysis is based on CVE-2026-9961 as published by vendor security advisories. Organizations should verify patch availability and compatibility with their specific Chrome deployment model before broad rollout. This vulnerability is not currently listed on the CISA KEV catalog; however, KEV status does not indicate absence of exploitation risk. No exploit code or proof-of-concept is provided in this analysis. Security teams should conduct independent risk assessment based on their environment's exposure and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance