How is CVE-2026-9939 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable via normal browser traffic. Authentication (not-required): No account or credential is needed; any unauthenticated user who visits the attacker-controlled page is a valid target. Victim interaction (required): The victim must open a crafted HTML page, meaning the attacker relies on social engineering or a malicious link to trigger the overflow. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-9939?

Attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of the sandboxed process. Files, cookies, and session tokens accessible to the renderer process can be read or exfiltrated. Sandboxed process memory and state can be modified, enabling manipulation of page content and local data visible to that process. If combined with a separate sandbox-escape primitive, the attacker gains code execution at the OS user level of the Chrome process owner.

Back to search

HIGHCVE-2026-9939Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9939: Heap buffer overflow in WebCodecs in Google Chrome prior to 148

Heap buffer overflow in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap buffer overflow in the WebCodecs component of Google Chrome before version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the browser sandbox by luring a user to a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, only a single user interaction (visiting a malicious page). Successful exploitation gives the attacker arbitrary code execution within the Chrome sandbox, enabling further attacks depending on sandbox escape capability. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9939 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Chrome security advisory. Coverage extends to custom-built images that bundle Chrome or Chromium as a dependency, not just upstream base images.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy. Triage routing directs the finding to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable via normal browser traffic.
AuthenticationNot required
No account or credential is needed; any unauthenticated user who visits the attacker-controlled page is a valid target.
Victim interactionRequired
The victim must open a crafted HTML page, meaning the attacker relies on social engineering or a malicious link to trigger the overflow.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Attacker executes arbitrary code inside the Chrome renderer sandbox, gaining full control of the sandboxed process.
Files, cookies, and session tokens accessible to the renderer process can be read or exfiltrated.
Sandboxed process memory and state can be modified, enabling manipulation of page content and local data visible to that process.
If combined with a separate sandbox-escape primitive, the attacker gains code execution at the OS user level of the Chrome process owner.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 148.0.7778.216 are flagged automatically as each customer registry and pipeline is scanned, with the CVE matched within minutes of publication. A patched rebuild at 148.0.7778.216 is prepared and available for affected environments. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automated changes, the finding is routed to the designated team inbox with full CVSS context so manual promotion can proceed without delay.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available