CVE-2026-9995: Chrome WebXR Use-After-Free Code Execution Vulnerability
Google Chrome contains a use-after-free memory vulnerability in its WebXR implementation that allows attackers to execute arbitrary code within the browser's sandbox. An attacker can craft a malicious HTML page that, when visited by a user, triggers this flaw to break out of memory protections and run code. This affects Chrome versions prior to 148.0.7778.216 on Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Use after free in WebXR in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9995 is a use-after-free (CWE-416) vulnerability in Chrome's WebXR module. The flaw occurs when the WebXR implementation fails to properly manage memory for objects during the rendering or session lifecycle, allowing freed memory to be accessed and manipulated. An attacker exploits this by delivering a specially crafted HTML page that triggers object deallocation followed by unauthorized access to that memory region. The vulnerability requires user interaction (visiting the malicious page) but operates with network-level accessibility and no privilege requirements, resulting in a CVSS 3.1 score of 8.8 (HIGH). Chromium's internal severity assessment also classifies this as High.
Business impact
This vulnerability enables arbitrary code execution within the Chrome sandbox on any system running an affected version. While the sandbox contains damage to the renderer process, a sandbox escape combined with other flaws or the execution of malicious payloads (credential theft, data exfiltration, cryptomining) poses significant risk to enterprise users and consumers. Organizations relying on Chrome for security-sensitive tasks face potential data compromise. Browser-based attacks are particularly dangerous because they bypass perimeter controls and exploit trusted, daily-use software.
Affected systems
Google Chrome versions prior to 148.0.7778.216 on all platforms: Microsoft Windows, Apple macOS, and Linux systems are affected. Chrome is also available on Android and iOS, so verify platform-specific patch availability. Any device running an unpatched Chrome version is exposed when users visit malicious or compromised websites.
Exploitability
The vulnerability requires user interaction (clicking a link or visiting a page) but needs no special privileges or complex environment setup. Network accessibility is unrestricted. An attacker can host the malicious HTML on a public server or inject it into compromised legitimate websites. The barrier to exploitation is low; the primary mitigation is keeping Chrome up to date. No public exploit code is known to be weaponized, but the simplicity of the attack vector means exploitation is likely if patches lag adoption.
Remediation
Update Google Chrome to version 148.0.7778.216 or later immediately. Verify that automatic updates are enabled in your organization's Chrome deployment. For managed environments, configure update policies to enforce timely patching. Users can manually check for updates via Chrome menu > Settings > About Google Chrome, which triggers an immediate update check.
Patch guidance
Deploy Chrome 148.0.7778.216 or later across all systems. For enterprise environments, use Google's Chrome Enterprise support or mobile device management (MDM) platforms to enforce updates. Verify the patch version against Google's official security updates page (https://chromereleases.googleblog.com/) before deployment. Consider blocking older Chrome versions from accessing sensitive resources if your infrastructure supports it.
Detection guidance
Monitor Chrome version inventory using endpoint detection and response (EDR) tools, MDM platforms, or software asset management systems to identify clients still running versions prior to 148.0.7778.216. Enable browser telemetry logging where available. Security teams cannot reliably detect exploitation attempts after the fact (the sandbox restricts visible artifacts), so prevention through patching is critical. Watch for anomalous child process spawning from Chrome if sandbox escapes occur.
Why prioritize this
This vulnerability scores 8.8/10 (HIGH) due to unrestricted network accessibility, low attack complexity, requirement for only user interaction, and impact on all three confidentiality, integrity, and availability. Chrome's ubiquity means millions of devices may be exposed. The WebXR module is increasingly common as VR/AR adoption grows, expanding the attack surface. Though not yet on the CISA KEV catalog, the combination of high CVSS, ease of exploitation, and mainstream target makes this a top-tier patching priority.
Risk score, explained
CVSS 3.1 score of 8.8 reflects: Attack Vector (Network) = unrestricted remote access, Attack Complexity (Low) = no special conditions needed, Privileges Required (None) = attacker needs no authentication, User Interaction (Required) = user must visit a malicious page, Scope (Unchanged) = impact limited to the vulnerable component, and Confidentiality/Integrity/Availability (all High) = arbitrary code execution enables theft, modification, and denial of service. The sandbox containment prevents kernel-level compromise but does not reduce the score because code execution within the browser process is sufficient for data theft and malware delivery.
Frequently asked questions
Can an attacker exploit this without the user visiting a malicious site?
No. The vulnerability requires user interaction—specifically visiting or viewing a crafted HTML page. Exploitation cannot occur silently in the background or via drive-by download alone. However, social engineering, watering hole attacks, or compromised legitimate websites can deliver the malicious content at scale.
Does the Chrome sandbox prevent all damage from this exploit?
The sandbox prevents direct kernel access and system-level compromise, but it does not prevent arbitrary code execution within the renderer process itself. An attacker can steal cookies, credentials, locally stored data, and use the compromised browser process for lateral movement or malware delivery. Full sandbox escape is possible if chained with other vulnerabilities.
Why is this vulnerability rated HIGH even though it's limited to the browser?
Because arbitrary code execution in a user's browser—even sandboxed—enables credential theft, data exfiltration, and malware distribution to millions of users globally. The accessibility (network, no auth), ease of exploitation (low complexity), and the ubiquity of Chrome make this a systemic risk despite sandbox containment.
Is there a workaround if we cannot patch immediately?
No robust workaround exists. Temporary mitigations include restricting Chrome updates to only internal websites, disabling WebXR features (though this limits modern web functionality), or using alternative browsers temporarily. However, these are fragile and do not eliminate risk. Patching is the only reliable remediation.
This analysis is based on publicly disclosed vulnerability data and Chromium security advisories. Patch versions and timing are provided for reference and should be verified against official Google Chrome release notes and your vendor's security advisories before deployment. SEC.co does not guarantee the completeness or real-time accuracy of this information. Organizations should conduct their own risk assessment and testing in non-production environments before applying patches. This document is for informational purposes and does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance