Google Chrome Use-After-Free (CVE-2026-9118) Allows Remote Code Execution

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityuse-after-freecwe-416
Google Chrome Use-After-Free (CVE-2026-9118) Allows Remote Code Execution

The National Vulnerability Database has disclosed CVE-2026-9118, a high-severity use-after-free vulnerability within the XR component of Google Chrome on Windows. This flaw, present in versions prior to 148.0.7778.179, carries a CVSSv3.1 score of 8.8, indicating a critical risk.

Attackers can exploit this vulnerability by enticing a user to visit a specially crafted HTML page. Successful exploitation allows a remote attacker to execute arbitrary code within the context of the browser process. This is a classic client-side attack vector that relies on user interaction, but the impact is severe, granting the adversary significant control over the affected system.

Organizations must prioritize patching Chrome installations on Windows immediately. This type of vulnerability is a favorite of both opportunistic attackers and advanced persistent threat (APT) groups, as it provides a reliable pathway to initial access and subsequent payload delivery. Ignoring it means leaving a wide-open door for drive-by downloads and sophisticated phishing campaigns.

What This Means For You

  • If your organization relies on Google Chrome on Windows, you need to ensure all endpoints are updated to version 148.0.7778.179 or later. This isn't a 'wait and see' situation; a high-severity remote code execution in a browser is a direct pipeline for adversaries. Audit your patch management processes and push this update aggressively across your fleet to mitigate the risk of drive-by compromise.

Indicators of Compromise

IDTypeIndicator
CVE-2026-9118 Use After Free Google Chrome on Windows prior to 148.0.7778.179
CVE-2026-9118 RCE Execute arbitrary code via a crafted HTML page
CVE-2026-9118 Memory Corruption Use after free in XR component

Written by SCW Vulnerability Desk

🔎
Track Critical Vulnerabilities Like CVE-2026-9118 Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4811 — Cross-Site Scripting (XSS)

CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-9149 — Libsolv Buffer Overflow

CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-122
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma