How is CVE-2026-9933 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, requiring the victim's browser to be reachable or for the victim to browse to an attacker-controlled URL. Authentication (not-required): No account or credentials on any system are needed; the attack is launched entirely through a web page served to an unauthenticated visitor. Victim interaction (required): The attacker must convince the victim to perform specific UI gestures (such as clicks or input sequences) on the crafted page, making a social-engineering step necessary. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as heap memory layout or timing conditions to trigger the use-after-free reliably.

What is the impact of CVE-2026-9933?

A successful exploit reads heap memory contents from the browser process, exposing stored credentials, session tokens, or page data. The attacker can write to freed heap memory, modifying browser state or injecting attacker-controlled data into live objects. Full compromise of the renderer or browser process is achievable, enabling arbitrary code execution in the context of the Chrome process. The browser process can be crashed, causing a denial of service for the affected user session.

Back to search

HIGHCVE-2026-9933Published 2026-05-28Modified 2026-05-29CNA Chrome

CVE-2026-9933: Use after free in Input in Google Chrome prior to 148

Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability in the Input handling component of Google Chrome allows a remote attacker to corrupt heap memory. The attacker must reach the victim over the network and convince them to perform specific UI gestures on a crafted HTML page; no authentication is required. Successful exploitation gives the attacker read access to sensitive memory contents, the ability to modify memory state, and the ability to crash or hijack the browser process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this issue at CVSS 7.5 (High) and weights it against each environment's compliance policy to determine priority routing; findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, requiring the victim's browser to be reachable or for the victim to browse to an attacker-controlled URL.
AuthenticationNot required
No account or credentials on any system are needed; the attack is launched entirely through a web page served to an unauthenticated visitor.
Victim interactionRequired
The attacker must convince the victim to perform specific UI gestures (such as clicks or input sequences) on the crafted page, making a social-engineering step necessary.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as heap memory layout or timing conditions to trigger the use-after-free reliably.

Blast Radius

A successful exploit reads heap memory contents from the browser process, exposing stored credentials, session tokens, or page data.
The attacker can write to freed heap memory, modifying browser state or injecting attacker-controlled data into live objects.
Full compromise of the renderer or browser process is achievable, enabling arbitrary code execution in the context of the Chrome process.
The browser process can be crashed, causing a denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: images containing a Chrome or Chromium binary below version 148.0.7778.216 are flagged automatically as each registry scan and pipeline check runs. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, executes a regression test run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage finding and suggested rebuild are routed to the designated team inbox so the upgrade can be reviewed and promoted on the team's own schedule.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available