HIGH 8.8

CVE-2026-9973: Chrome V8 Out-of-Bounds Write Remote Code Execution (CVSS 8.8)

CVE-2026-9973 is a memory corruption vulnerability in Google Chrome's V8 JavaScript engine that allows attackers to run malicious code within the browser's sandbox by hosting a specially crafted HTML page. An attacker would need to trick a user into visiting the malicious site, but once there, the flaw provides a direct path to arbitrary code execution. Chrome versions before 148.0.7778.216 are vulnerable.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This out-of-bounds write vulnerability (CWE-787) exists in the V8 engine prior to Chrome 148.0.7778.216. The flaw permits an attacker to write memory beyond intended buffer boundaries, enabling code execution within the sandboxed V8 context. The sandbox provides some containment, but successful exploitation allows arbitrary computation and potential access to sensitive data or further system compromise depending on the browser's privilege model and installed extensions.

Business impact

Organizations relying on Chrome for web-based internal tools face risk if employees visit malicious sites or receive phishing emails with crafted HTML attachments. For enterprises, this could lead to data exfiltration, credential theft, or deployment of second-stage malware. The attack vector is low-friction (requires only user interaction with a webpage), making it a practical threat vector for social engineering campaigns. Patch urgency is elevated given the sandbox escape potential and high CVSS score.

Affected systems

Google Chrome prior to version 148.0.7778.216 is vulnerable across Windows, macOS, and Linux. Users on any supported operating system are at risk if they use affected Chrome versions. Verify your organization's Chrome version and deployment footprint; mobile Chrome (iOS, Android) should be assessed separately against their respective security advisories.

Exploitability

The vulnerability requires user interaction (visiting a malicious webpage or opening an attachment), which lowers the barrier to exploitation compared to network-propagating worms. No authentication is required. The Chromium security team rated it as 'High' severity. The attack is likely to be weaponized once details circulate; however, the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active in-the-wild exploitation has not been officially documented as of the last update.

Remediation

Immediately update Google Chrome to version 148.0.7778.216 or later. Most Chrome installations auto-update, but verify completion by checking Settings > About Google Chrome. For managed environments, use group policies or MDM solutions to enforce the update. Test compatibility with critical web-based applications post-patch. Consider blocking known malicious domains using security proxies while updates roll out.

Patch guidance

Conduct a staged rollout if your environment has mission-critical applications dependent on Chrome. Version 148.0.7778.216 addresses this flaw. Verify the patch is deployed across all user devices and kiosks using Chrome. For Windows deployments, check Group Policy updates; for macOS, confirm Jamf or similar MDM solutions have pushed the update; for Linux, use your package manager to verify the latest Chrome version is installed. Test before full deployment only if you have known compatibility concerns with legacy web applications.

Detection guidance

Monitor Chrome version numbers in your fleet using endpoint detection and response (EDR) tools or MDM solutions. Look for crash dumps or V8 engine errors in browser debug logs, though this vulnerability's in-the-wild detection is difficult without behavioral indicators. Consider monitoring for suspicious user navigation to known phishing or attacker-controlled domains. If you suspect exploitation, preserve browser caches and memory dumps for forensic analysis. Web proxies may log requests to deliver the crafted HTML, so review proxy logs for unusual JavaScript-heavy payloads delivered from untrusted sources.

Why prioritize this

This vulnerability merits immediate attention due to its CVSS 8.8 (HIGH) severity, ease of exploitation via social engineering, and potential for direct code execution. The attack surface is broad—any user visiting a malicious webpage is at risk—and the low-friction user interaction requirement makes it attractive to threat actors. While not yet listed on the KEV catalog, the combination of high impact and active attacker incentive to develop exploits means rapid patch deployment should be prioritized.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects a network-based attack (AV:N) with low complexity (AC:L), no authentication (PR:N), and requirement for user interaction (UI:R). The impact is severe: high confidentiality loss (C:H), high integrity loss (I:H), and high availability loss (A:H), indicating that successful exploitation can fully compromise user data, inject malicious content, and disrupt browser functionality. The score does not account for the sandbox boundary, which does provide some secondary containment.

Frequently asked questions

Why should we patch even though this isn't on CISA's KEV list yet?

The KEV catalog tracks vulnerabilities with confirmed active exploitation in the wild. The absence of a KEV listing does not indicate low risk—it reflects a time lag in confirmation or active exploit development. Given the high CVSS score, ease of delivery via web, and attractiveness to attackers, proactive patching is prudent. KEV status can change rapidly.

Does the V8 sandbox prevent the attacker from accessing my files or other browser data?

The V8 sandbox constrains the attacker to operations within the JavaScript engine context and prevents direct system calls in most cases. However, the vulnerability enables arbitrary code execution *within* the sandbox, from which attackers can potentially access cached credentials, session tokens, browsing history, and local storage data. Further exploits may be chained to escape the sandbox.

How do we handle this if our organization has thousands of Chrome devices?

Leverage MDM (Mobile Device Management) or enterprise Chrome management policies to push the update automatically. Verify rollout completion via fleet reports in your MDM or Chrome Enterprise console. Test on a pilot group first if you have legacy web applications. Most organizations with standard deployments will see auto-update complete within 24-48 hours.

Can threat actors exploit this without the user clicking anything?

No, the vulnerability requires user interaction—the attacker must trick the user into visiting or opening the crafted HTML. This is typically delivered via phishing email, malicious advertisement, or compromised website. It is not a wormable vulnerability that spreads on its own.

This analysis is based on publicly available vulnerability data as of June 2026. Patch version numbers and affected product versions reflect the source advisory; always verify against official vendor security bulletins before deployment. This document does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their environment and threat model. No exploit code or weaponized proof-of-concept information is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).