HIGH 8.8

CVE-2026-9976: High-Severity Chrome USB Vulnerability (RCE via Malicious Webpage)

Google Chrome versions before 148.0.7778.216 contain a flaw in how the browser handles USB device interactions. An attacker can craft a malicious HTML page that, when visited by a user, exploits this flaw to run arbitrary code on the victim's computer with the same privileges as the Chrome process. The vulnerability requires user interaction (visiting the page) but does not require the attacker to have special privileges or be on the same network—it can be delivered remotely via the internet.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9976 is an implementation defect in Chrome's USB handling code (CWE-94: Improper Control of Generation of Code). The vulnerability allows unauthenticated remote code execution when a user visits a crafted HTML page in a vulnerable Chrome instance. The attack vector is network-based with low attack complexity; the only user interaction required is navigating to or being directed to the malicious page. The vulnerability affects the confidentiality, integrity, and availability of the affected system, earning a CVSS 3.1 base score of 8.8 (High severity). This is a Chromium security issue classified as High by the project's own severity rating.

Business impact

Successful exploitation allows attackers to execute arbitrary code on systems running vulnerable Chrome versions, potentially leading to data theft, malware installation, lateral movement within networks, or system compromise. Organizations where users browse untrusted web content face significant risk. Compromise of a user's system can expose corporate data, credentials, and internal systems. The remote, low-complexity nature of the attack makes it a preferred vector for targeted or mass exploitation campaigns.

Affected systems

The vulnerability affects Google Chrome prior to version 148.0.7778.216. Because Chrome runs on Windows, macOS, and Linux, all instances of these operating systems running the vulnerable browser version are at risk. Note that Chrome's auto-update mechanism means many users may already be protected; however, systems with auto-update disabled, behind proxy filters that delay updates, or running on managed networks should be checked immediately.

Exploitability

The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog as of the data provided, indicating no public evidence of active exploitation in the wild at the time of publication. However, given the straightforward attack vector (user visits a webpage) and high severity rating, exploitation is likely to be attempted once wider awareness spreads or if targeted campaigns begin. The requirement for user interaction is a minor obstacle compared to the accessibility of web-based delivery.

Remediation

Update Google Chrome to version 148.0.7778.216 or later. This can be done manually via Chrome's Settings > Help > About Google Chrome, which will check for and install the latest version, or automatically if auto-update is enabled. No workarounds exist; patching is the only mitigation.

Patch guidance

Deploy Chrome version 148.0.7778.216 or newer across your environment. Verify the version number in Chrome Settings > About to confirm successful installation. Consider enforcing automatic updates via Chrome's enterprise policies if not already in place. Organizations using Chrome Enterprise should prioritize updates on machines handling sensitive data or used for internal development. If you maintain a managed Chrome deployment, consult Google's release notes and administrative guidance to coordinate the rollout.

Detection guidance

Monitor browser version information in your endpoint detection and response (EDR) or mobile device management (MDM) tools to identify instances running Chrome versions prior to 148.0.7778.216. Log and alert on any suspicious process spawning from Chrome that does not align with expected behavior. Network-based detection is limited, as the attack occurs within the browser process; focus on behavioral indicators such as unexpected process execution, network connections, or file system modifications originating from Chrome. If you operate a proxy or web filter, monitor for traffic to sites known to host exploitation code or unusually complex JavaScript payloads served over HTTP/HTTPS.

Why prioritize this

This vulnerability earns high priority due to its combination of high CVSS score (8.8), remote attack vector with low complexity, requirement only for user interaction, and impact across confidentiality, integrity, and availability. The broad reach of Chrome across consumer and enterprise systems and the web-based attack delivery mechanism make it a natural target for threat actors. Although not yet on the KEV list, the ease of exploitation and potential for mass campaigns warrant immediate patching.

Risk score, explained

The CVSS 3.1 score of 8.8 (High) reflects a network-accessible vulnerability requiring only user interaction, with no special privileges needed. The attack results in complete compromise of the affected process (high confidentiality, integrity, and availability impact). The principal limiting factor is the requirement for user interaction; without it, this would be a critical-severity issue. The absence of attack complexity mitigations and the inherent trustworthiness users grant to browser content elevate the practical risk.

Frequently asked questions

I have Chrome set to auto-update. Do I still need to worry about this?

Auto-update is an excellent protection, but it is not instantaneous. Even with auto-update enabled, there may be a window of hours or days before your instance is updated. If you visit a malicious website during that window, you remain at risk. Check Settings > About to confirm you are running 148.0.7778.216 or later. If you are behind a corporate proxy or firewall, auto-update may be delayed further.

Does this affect Chromium-based browsers like Edge or Brave?

This specific CVE is reported against Google Chrome. However, Chromium-based browsers (such as Microsoft Edge, Brave, and others) may inherit similar vulnerabilities from the Chromium project. Check your browser vendor's security advisories and update guidelines to determine if they have issued patches for the same underlying issue.

What if I don't use Chrome? Am I affected?

This vulnerability is specific to Google Chrome. Firefox, Safari, and other browsers are not directly affected. However, users should always keep all browsers updated to the latest versions, as vulnerabilities in any browser pose similar risks.

Can my organization block this attack without updating Chrome?

No reliable workaround exists that eliminates the risk. Network-based defenses (such as blocking suspicious JavaScript) may offer partial protection, but they are not a substitute for patching. The only reliable mitigation is to update Chrome to 148.0.7778.216 or later. Organizations should prioritize this update in their patch management cycle.

This analysis is based on the CVE data and Chromium security advisory current as of the publication date. CVSS scores and severity ratings are provided as guidance; organizations should evaluate risk within their own environment and risk tolerance. Patch version numbers and affected product lists are derived from official vendor advisories; verify currency against vendor releases before deploying. No exploit code or proof-of-concept details are provided in this analysis. This intelligence is for defensive purposes and should be integrated into your organization's vulnerability management and patch strategy. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).