How is CVE-2026-9918 exploited?

Network reachability (required): The attacker must reach the victim over the network, delivering a crafted HTML page via a browser-accessible URL. Authentication (not-required): No account or credential is needed; any unauthenticated remote attacker can attempt the exploit. Victim interaction (required): The victim must visit or be redirected to an attacker-controlled HTML page, making social engineering or malicious ad delivery the likely delivery vector. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond victim interaction.

What is the impact of CVE-2026-9918?

A successful attacker escapes the Chrome browser sandbox, gaining code execution outside the browser process boundary. With sandbox escape achieved, the attacker can read files and data accessible to the user running Chrome, including stored credentials and session tokens. The attacker can write or modify files on the host system under the permissions of the compromised user account. The attacker can disrupt or crash host-level processes accessible to that user, affecting availability beyond the browser itself.

Back to search

CRITICALCVE-2026-9918Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9918: Inappropriate implementation in Tint in Google Chrome prior to 148

Inappropriate implementation in Tint in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An inappropriate implementation flaw in the Tint rendering component of Google Chrome prior to version 148.0.7778.216 allows a remote attacker to escape the browser sandbox by tricking a user into visiting a crafted HTML page. The vulnerability is reachable over the network, requires no authentication, but does require the victim to interact with attacker-controlled content. Successful exploitation gives the attacker full read, write, and availability impact on the affected system, breaking out of the browser sandbox entirely. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-9918 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images containing Chrome, within minutes of publication from upstream feeds. Any image in a customer registry or CI/CD pipeline that bundles a pre-148.0.7778.216 Chrome binary is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.6 CVSS v3.1 (Critical) and surfaces it accordingly in each customer org's triage queue, weighted against that environment's compliance policy. Routing rules direct the alert to the team or inbox responsible for the affected workloads in each customer environment.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available through HarborGuard the moment the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, delivering a crafted HTML page via a browser-accessible URL.
AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can attempt the exploit.
Victim interactionRequired
The victim must visit or be redirected to an attacker-controlled HTML page, making social engineering or malicious ad delivery the likely delivery vector.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond victim interaction.

Blast Radius

A successful attacker escapes the Chrome browser sandbox, gaining code execution outside the browser process boundary.
With sandbox escape achieved, the attacker can read files and data accessible to the user running Chrome, including stored credentials and session tokens.
The attacker can write or modify files on the host system under the permissions of the compromised user account.
The attacker can disrupt or crash host-level processes accessible to that user, affecting availability beyond the browser itself.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation capability for CVE-2026-9918 is ready across customer environments the moment the CVE enters upstream feeds. For any image found to include a Chrome binary older than 148.0.7778.216, HarborGuard marks the image as critically vulnerable and queues it for rebuild at the patched version. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at 148.0.7778.216, runs a regression test suite, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that require manual approval, the rebuilt image and test results are staged and waiting for sign-off in the HarborGuard dashboard.

See how HarborGuard automates this

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available