HarborGuard / CVE
Back to search
HIGHCVE-2026-9883Published Modified CNA Chrome

CVE-2026-9883: Use after free in Base in Google Chrome prior to 148

Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in the Base component of Google Chrome (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code by luring a user to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to visit a malicious page. Successful exploitation gives the attacker full code execution inside the Chrome process. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9883 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary. No manual scan trigger is needed for the match to surface.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) against each matched image and weighting that score against the per-environment compliance policy configured for the customer org. Triage results are routed to the inbox or ticketing integration the customer has defined, so the right team sees the finding without manual forwarding.

Available
Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable through normal internet or intranet browsing.

  • AuthenticationNot required

    No account or credential of any kind is required; any unauthenticated remote party can serve the malicious page.

  • Victim interactionRequired

    The victim must open or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by-navigation scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and imposes no special race conditions, memory-layout requirements, or other environmental preconditions on the attacker.

Blast Radius

  • The attacker gains arbitrary code execution inside the Chrome renderer or browser process, enabling them to run any code the process is permitted to run.
  • Confidential data accessible to the Chrome process, including stored credentials, session cookies, and page content, is exposed to the attacker.
  • The attacker can write or modify files and browser state that the process has access to, including saved passwords, extensions, and cached data.
  • The affected Chrome process can be crashed or held hostage, denying the user access to the browser and any web-based workflows depending on it.

How HarborGuard Handles This

Available on HarborGuard: any container image that bundles Google Chrome below 148.0.7778.216 is flagged automatically upon CVE ingestion, with no manual scan required. Where compliance policy permits, a rebuilt image pinned to the fixed version 148.0.7778.216 becomes available immediately, and customers who opt into auto-remediation receive a full rebuild, a regression-test run, and a pull request opened against affected workloads. For high-severity findings like this one, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.8 scoring and compliance-policy weighting so the responsible team can act on the upgrade manually. Given that exploitation requires only a victim visiting a page (no authentication, low complexity), upgrading to 148.0.7778.216 is the primary control; in the interim, network-policy rules that restrict which hosts Chrome-based workloads can reach may reduce exposure surface.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References