HarborGuard / CVE
Back to search
HIGHCVE-2026-9902Published Modified CNA Chrome

CVE-2026-9902: Use after free in Accessibility in Google Chrome prior to 148

Use after free in Accessibility in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability in the Accessibility component of Google Chrome prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to escape the Chrome sandbox via a crafted HTML page. The attack requires network reachability, no authentication, but does require a victim to interact with a malicious page, and the attacker must already control the renderer process, making this a high-complexity chained exploit. Successful exploitation gives the attacker code execution outside the Chrome sandbox, effectively breaking the primary isolation boundary between browser content and the underlying host. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9902 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome or Chromium. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 HIGH and surfacing it according to each customer organization's compliance policy weighting, which can elevate priority for images running in internet-exposed or privileged workloads. Routing to the appropriate team inbox within each customer org is handled automatically based on configured policy.

Available
Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads without requiring manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable and the attacker must be able to serve content to it.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched from an unauthenticated web page served to the victim.

  • Victim interactionRequired

    The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link a prerequisite.

  • Attack complexityDetail

    Exploitation is high-complexity because it requires a prior renderer-process compromise as a stepping stone before the use-after-free sandbox escape can be triggered.

Blast Radius

  • Attacker breaks out of the Chrome sandbox, gaining code execution in the context of the browser process on the victim host.
  • With sandbox escape achieved, the attacker reads files, credentials, and session data accessible to the user running Chrome.
  • The attacker can write to or modify files and persistent storage on the host, including browser profile data and OS-level user directories.
  • The attacker can terminate or disrupt the Chrome process and any dependent browser-hosted services, causing a denial of service to the victim.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome versions below 148.0.7778.216 are flagged automatically as each registry and pipeline scan completes. Because this is a chained sandbox-escape with a CVSS score of 8.3 HIGH and a confirmed fix version, a rebuilt image at 148.0.7778.216 is queued for generation as soon as the affected image is identified. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes, covering the rebuild, regression run, and PR opening against affected workloads. Where compliance policy requires manual approval, the rebuild artifact and a pre-filled PR are staged and waiting for reviewer sign-off. Because the exploit chain requires a pre-compromised renderer, teams should also consider network-policy controls that restrict outbound connections from Chrome-based workloads, reducing the attacker's ability to exfiltrate data or reach internal services even if a renderer compromise occurs.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References
CVE-2026-9902: Use after free in Accessibility in Google Chrome prior to 148 | HarborGuard CVE