How is CVE-2026-9887 exploited?

Network reachability (not-required): The attacker does not need direct network access to the target service; they need an existing process or shell context on the host, or to deliver a malicious PAC script to a local user. Authentication (not-required): No account credentials or prior authentication are required to deliver the malicious PAC script that triggers the vulnerability. Victim interaction (required): The victim must interact with attacker-controlled content (for example, loading a crafted PAC script) for the exploit to execute. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-9887?

Executes arbitrary code in the context of the Chrome process on the victim's machine. Reads sensitive data accessible to that process, including stored credentials, session tokens, and browser profile data. Modifies or deletes files and data reachable by the compromised process. Crashes or disrupts the Chrome process, denying service to the affected user.

Back to search

HIGHCVE-2026-9887Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9887: Use after free in Proxy in Google Chrome prior to 148

Use after free in Proxy in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted PAC script. (Chromium security severity: Critical)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free vulnerability in the Proxy component of Google Chrome prior to version 148.0.7778.216. The flaw is triggered locally by a crafted PAC (proxy auto-configuration) script and requires the user to interact with malicious content, though no authentication is needed. Successful exploitation gives an attacker full code execution on the host, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9887 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome binary. Coverage extends to both registry scans and CI/CD pipeline checks so affected images are flagged before they reach production.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and surfaces it against each customer environment's compliance policy weighting, escalating priority where Chrome is present in runtime workloads. Triage findings are routed to the appropriate team inbox inside each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker does not need direct network access to the target service; they need an existing process or shell context on the host, or to deliver a malicious PAC script to a local user.
AuthenticationNot required
No account credentials or prior authentication are required to deliver the malicious PAC script that triggers the vulnerability.
Victim interactionRequired
The victim must interact with attacker-controlled content (for example, loading a crafted PAC script) for the exploit to execute.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Executes arbitrary code in the context of the Chrome process on the victim's machine.
Reads sensitive data accessible to that process, including stored credentials, session tokens, and browser profile data.
Modifies or deletes files and data reachable by the compromised process.
Crashes or disrupts the Chrome process, denying service to the affected user.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome prior to 148.0.7778.216 are flagged automatically as affected by this CVE upon ingestion. For customers with auto-remediation enabled, HarborGuard initiates a patched-image rebuild at version 148.0.7778.216, runs a regression test pass against the rebuilt image, and opens a pull request targeting affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or organizational policy does not permit auto-remediation, the rebuilt image and a remediation recommendation are surfaced in the HarborGuard dashboard for manual review and promotion. Customers are advised to prioritize remediation given the combination of code execution impact, no authentication requirement, and low attack complexity.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available