HIGH 8.8

CVE-2026-9984: Chrome Use-After-Free RCE on Windows

Google Chrome on Windows contains a use-after-free memory vulnerability in its UI layer that allows attackers to execute arbitrary code on affected systems. The flaw can be triggered by tricking a user into visiting a specially crafted webpage; no special privileges or system access is required from the attacker. This is a remote code execution risk that affects Chrome versions prior to 148.0.7778.216.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9984 is a use-after-free vulnerability (CWE-416) in Google Chrome's user interface subsystem running on Windows platforms. The vulnerability stems from improper memory management where a UI object is accessed after it has been freed, allowing an attacker to control memory contents and achieve arbitrary code execution. The attack vector is network-based and requires only user interaction (visiting a malicious webpage), with no authentication or elevated privileges needed. Chromium has classified this as a High severity issue.

Business impact

Exploitation of this vulnerability could allow attackers to gain complete control of affected Chrome browser instances with the privileges of the logged-in user. This enables data theft from browser credentials, session tokens, and locally stored sensitive information; installation of malware or backdoors; lateral movement into corporate networks if the compromised user has elevated access; and potential disruption of business operations. Organizations with high numbers of Windows users running Chrome face elevated risk of targeted attacks and credential compromise.

Affected systems

Google Chrome on Microsoft Windows prior to version 148.0.7778.216 is affected. This includes all older stable releases and potentially Chrome on Windows 10, Windows 11, and earlier supported versions. Chrome on other operating systems (macOS, Linux, Android, iOS) is not affected by this specific vulnerability. Users should check their Chrome version under Settings > About Chrome to verify their current status.

Exploitability

This vulnerability has moderate exploitability barriers in practice despite a high CVSS score. An attacker must craft a malicious HTML page and convince or trick a user into visiting it—no self-propagating worm capability exists. However, the low complexity, lack of authentication requirements, and prevalence of social engineering make this a realistic threat in targeted campaigns. As of the published date, CVE-2026-9984 has not been added to the CISA Known Exploited Vulnerabilities catalog, suggesting limited public exploit activity at this time, though this does not guarantee future safety.

Remediation

Update Google Chrome to version 148.0.7778.216 or later immediately. Google Chrome's auto-update mechanism typically rolls out patches automatically, but users can force an update by visiting Settings > About Chrome. Organizations should verify deployment through enterprise management tools (Google Admin Console for Chrome OS/Browser, or third-party endpoint management platforms). No workarounds exist; patching is the only mitigation.

Patch guidance

Deploy Chrome version 148.0.7778.216 or any later stable release. For enterprise deployments, configure Chrome update policies to enable automatic updates or push patches through your mobile device management (MDM) or endpoint management solution. Verify patch deployment by auditing Chrome versions across your fleet using enterprise reporting tools. Test compatibility with critical web applications in your environment before forcing updates on all users, if needed, though this patch should be low-risk.

Detection guidance

Monitor for indicators of compromise including unusual child processes spawned from the Chrome executable, unexpected network connections from chrome.exe, and presence of suspicious browser extensions installed without user consent. Review browser history and downloaded files for indicators of malicious webpage visits. Endpoint Detection and Response (EDR) tools can alert on suspicious memory access patterns or process injection attempts targeting Chrome. Network-based detection is challenging but may identify command-and-control communication if malware is successfully deployed post-exploitation.

Why prioritize this

This vulnerability merits urgent patching due to its remote code execution capability, low attack complexity, and network accessibility. The requirement for user interaction is a meaningful control, but social engineering campaigns are effective and widespread. The CVSS score of 8.8 reflects the severity of potential impact (complete confidentiality, integrity, and availability compromise). Organizations should prioritize this patch within their standard critical vulnerability response timeline, typically 48–72 hours.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) is driven by: (1) Network attack vector—the flaw is remotely exploitable with no special network positioning required; (2) Low attack complexity—no special conditions or tools are needed beyond a crafted webpage; (3) No privileges or authentication required; (4) User interaction required—the user must visit a malicious page, which is a mitigating factor; (5) Unchanged scope; (6) High impact on confidentiality, integrity, and availability through arbitrary code execution with user privileges. The score accurately reflects the practical risk for browser-based remote code execution.

Frequently asked questions

If I'm running Chrome on macOS or Linux, am I affected?

No. CVE-2026-9984 is specific to Chrome on Windows platforms. The use-after-free flaw exists in a Windows UI component and does not affect other operating systems. However, ensure you keep all platforms patched for their own vulnerability fixes.

Does enabling Chrome's automatic updates protect me?

Automatic updates should deploy version 148.0.7778.216 or later automatically, typically within hours of Chrome's release cycle. However, automatic updates may be delayed if your system is offline or if you have Chrome update policies configured in your organization. Verify your current version manually in Settings > About Chrome rather than relying solely on auto-update timing.

What should I do if I cannot update Chrome immediately?

Limit browsing on the affected Chrome instance to trusted, internal sites only. Consider using an alternative browser (Edge, Firefox) for untrusted or public websites until you can patch. If you use Chrome for work, inform your security team immediately so they can monitor for signs of exploitation. Do not delay patching beyond 72 hours.

Is there any indication this vulnerability is being actively exploited?

As of the publication date, CVE-2026-9984 has not been listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, which typically indicates limited evidence of active, widespread exploitation. However, the absence of a KEV listing does not guarantee the vulnerability is not being exploited in targeted campaigns. Patch promptly regardless of KEV status.

This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. While the information is derived from authoritative sources (Chromium project, CVSS scoring, CVE repository), security circumstances and threats evolve rapidly. Organizations should verify patch availability and compatibility against the official Google Chrome release notes and their vendor advisory before deployment. This analysis does not constitute legal advice, guarantee protection against exploitation, or endorse any specific security tool or product. Always maintain multiple layers of defense (patching, user training, endpoint detection, network segmentation) rather than relying on any single control. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).