CVE-2026-9945: Use after free in Media in Google Chrome on Windows prior to 148
Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
HarborGuard Analysis
HarborGuard analysisSynopsis
Use-after-free in the Media component of Google Chrome on Windows affects versions prior to 148.0.7778.216. The vulnerability is reachable over the network without any authentication, but requires the target user to visit a specially crafted HTML page. Successful exploitation lets a remote attacker execute arbitrary code inside the Chrome sandbox. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on Windows base layers. Any image carrying a Chrome version below 148.0.7778.216 is flagged automatically.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard as soon as the upstream fix is published. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target only needs to load a page the attacker controls.
- AuthenticationNot required
No account or credential of any kind is needed; the attack works against any unauthenticated browser session.
- Victim interactionRequired
The target user must visit a crafted HTML page, making this a social-engineering vector that relies on the user clicking a link or being redirected.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race condition, memory layout dependency, or other environmental precondition.
Blast Radius
- The attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's Windows host.
- Confidential data accessible to the browser process, such as stored credentials, session tokens, and page content, is exposed to the attacker.
- The attacker can write or modify data within the sandbox's reach, including cached files and browser-accessible storage.
- The affected Chrome process can be crashed or rendered unresponsive, disrupting the user's browsing session.
How HarborGuard Handles This
Available on HarborGuard: any image bundling Google Chrome on a Windows base layer is automatically scanned and flagged if the installed version is below 148.0.7778.216. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image at the patched version, a regression-test run against that image, and a pull request opened against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the CVSS 8.8 score, the affected version range, and a direct reference to the upstream fix so engineers can act without additional research.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 148.0.7778.216
- Affected Products
- 1
Fix available
- Google / Chrome< 148.0.7778.216 (from 148.0.7778.216)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H