Google Chrome GPU Use-After-Free: Remote Code Execution via Crafted HTML
The National Vulnerability Database has disclosed CVE-2026-9112, a high-severity use-after-free vulnerability in the GPU component of Google Chrome on Windows. This flaw, present in versions prior to 148.0.7778.179, allows a remote attacker to execute arbitrary code within the browser’s sandbox. The attack vector is a crafted HTML page, meaning a user simply visiting a malicious website could trigger the exploit.
This is a critical client-side vulnerability. The attacker’s calculus here is straightforward: web browsers are universal. A successful exploit bypasses the browser’s sandbox, a fundamental security control, and could lead to system compromise. Such vulnerabilities are prime targets for initial access in sophisticated attacks, including watering-hole campaigns or phishing-driven exploits.
Defenders need to prioritize patching. While the sandbox offers some containment, a successful use-after-free can lead to information disclosure or full system compromise. The high CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) underscores the ease of exploitation (low attack complexity, no privileges required, user interaction via a click) and the severe impact (high confidentiality, integrity, and availability compromise). This isn’t just a crash; it’s a doorway.
What This Means For You
- If your organization uses Google Chrome on Windows, ensure all instances are updated to version 148.0.7778.179 or later immediately. This CVE-2026-9112 is a high-severity RCE that can be triggered by merely browsing a malicious site. Don't rely solely on automated updates; verify patch status across your fleet.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-9112
title: Web Application Exploitation Attempt — CVE-2026-9112
id: scw-2026-05-20-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-9112 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-9112/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-9112
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-9112 | Use After Free | Google Chrome on Windows prior to 148.0.7778.179 |
| CVE-2026-9112 | RCE | Execute arbitrary code inside a sandbox via a crafted HTML page |
| CVE-2026-9112 | Memory Corruption | Use after free in GPU |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-4811 — Cross-Site Scripting (XSS)
CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...
CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to
CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...
CVE-2026-9149 — Libsolv Buffer Overflow
CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...