CVE-2026-9978: Chrome Use-After-Free Vulnerability in Glic Component
A use-after-free flaw in Google Chrome's Glic component allows attackers to run arbitrary code within the browser's sandbox by tricking users into visiting a malicious webpage. The vulnerability affects Chrome versions prior to 148.0.7778.216 across Windows, macOS, and Linux. While the code execution is confined to the sandbox, successful exploitation could lead to data theft, credential compromise, or lateral movement depending on the attacker's objectives and the system's security posture.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in Glic in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9978 is a use-after-free vulnerability (CWE-416) in the Glic component of Chromium/Google Chrome. The flaw occurs when freed memory is accessed after deallocation, allowing a remote attacker to corrupt the heap and execute arbitrary code within the browser sandbox. The vulnerability requires user interaction—a victim must visit or be redirected to a crafted HTML page—but no authentication or special privileges are needed. Google assigned this a High security severity rating, and the CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability within the sandbox context.
Business impact
Successful exploitation could expose sensitive user data—passwords, session tokens, personal information, and intellectual property—cached or in-transit within the browser. Organizations relying on web-based applications face increased risk of credential theft and account compromise. The sandbox containment limits direct OS-level damage, but attackers may chain this vulnerability with other flaws to escape the sandbox. Unpatched deployments represent a material risk to user privacy and organizational data security, particularly in environments handling sensitive customer or proprietary information.
Affected systems
This vulnerability affects Google Chrome on Windows, macOS, and Linux systems running versions prior to 148.0.7778.216. The vulnerability does not appear to affect Chromium-based browsers built from unpatched source code or derivative products that have not integrated the fix. Enterprise environments with Chrome as a standard browser—especially those using managed deployments—should prioritize patching across all affected platforms.
Exploitability
The attack vector is network-based and requires no special privileges, but user interaction is mandatory; the victim must open a malicious HTML page, typically through social engineering, phishing, or drive-by download tactics. The exploit does not require knowledge of memory layout randomization (ASLR), making it moderately reliable in practice. No public exploit or active in-the-wild campaign targeting this vulnerability has been reported as of the last update, but the low barrier to user interaction and the high impact make this a credible threat if attackers discover it.
Remediation
Update Google Chrome to version 148.0.7778.216 or later immediately. Both manual updates (Settings > About Chrome) and managed enterprise deployments via group policy or mobile device management should be prioritized. Users should enable automatic updates if not already configured. No known workarounds mitigate the vulnerability; patching is the only reliable remediation.
Patch guidance
Google Chrome auto-updates are enabled by default and will roll out version 148.0.7778.216 to users over time. Enterprise administrators should force immediate deployment through management tools rather than relying on gradual rollout. Verify the update version in Chrome settings (chrome://settings/help) displays 148.0.7778.216 or higher. Test the patch in a staging environment before broad deployment to ensure compatibility with internal web applications and extensions. Users on macOS and Linux should check system updates, as Chrome may be bundled with OS-level security updates.
Detection guidance
Monitor Chrome version inventory across your environment using endpoint detection and response (EDR) tools, mobile device management (MDM) for personal devices, or browser telemetry. Flag any systems running versions below 148.0.7778.216. Log and analyze failed or successful exploitation attempts through browser crash logs, sandbox exit events, and unexpected child process spawning from Chrome. Network-based detection is limited; focus on endpoint telemetry and user reports of browser crashes or unusual behavior after visiting untrusted links. Educate users to report suspicious pages or unexpected browser crashes promptly.
Why prioritize this
The combination of high CVSS score (8.8), remote network exploitability, user-interaction requirement, and potential for data exfiltration warrants prompt patching within 7–14 days for most organizations. While the sandbox containment provides defense-in-depth, the lack of public active exploitation and lower complexity of the exploit itself make this a high-priority but not emergency patch. Prioritize systems used by high-value targets (executives, developers, finance staff) and public-facing kiosks or shared devices.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) network-accessible attack surface (AV:N); (2) low complexity exploitation requiring no special conditions (AC:L); (3) no privileges required (PR:N); (4) mandatory user interaction (UI:R), slightly reducing severity; (5) no scope change (S:U), meaning impact is limited to the browser sandbox; and (6) high impact on confidentiality, integrity, and availability within that scope (C:H, I:H, A:H). The sandbox containment and user-interaction requirement prevent a Critical rating, but the ease of delivery via web content and potential for sensitive data theft justify the HIGH classification.
Frequently asked questions
Can I be exploited by simply visiting a normal website?
No. The attacker must craft a malicious HTML page specifically designed to trigger the vulnerability. Visiting legitimate, well-maintained websites is safe. However, compromised legitimate sites, ad networks, or attacker-controlled sites pose a risk. If you are unsure of a link's safety, avoid clicking it until your browser is patched.
Does the sandbox protection mean I'm safe even if unpatched?
The sandbox significantly limits what an attacker can achieve, but it is not a complete guarantee of safety. A skilled attacker can potentially use this flaw in combination with other vulnerabilities to break out of the sandbox and access your operating system. Patching is essential; do not rely on the sandbox as your only defense.
Does this affect other Chromium-based browsers like Edge or Opera?
Microsoft Edge and other Chromium derivatives may be affected if they use the same Glic component and have not yet integrated the patch. Check with your browser vendor for updates. Most major vendors like Microsoft release patches within days of Google's Chromium fix.
What should I do if I suspect I was compromised by this vulnerability?
Change your passwords from a different device immediately, enable two-factor authentication on critical accounts, and monitor your accounts for unauthorized access. Scan your system for malware using a trusted antivirus tool and consider running a full system backup restore if you suspect data exfiltration. Report the incident to your IT security team if on a corporate device.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. CVSS scores and severity ratings are assigned by vendors and may be updated. Organizations must validate all patch versions and compatibility in their own environments before deployment. Security patch timelines and vendor advisories are subject to change; always consult the official Google Chrome release notes and your organization's vulnerability management policy. No guarantee is provided regarding the accuracy or completeness of this intelligence in all deployment scenarios. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance