How is CVE-2026-9961 exploited?

Network reachability (required): The attacker delivers the exploit over the network by luring the target to a crafted HTML page served from a remote host. Authentication (not-required): No account or credential is needed; the exploit is accessible to any unauthenticated network peer who can reach the target browser. Victim interaction (required): The target user must actively visit the attacker-controlled HTML page, making social-engineering delivery (phishing link, malicious ad, redirect) a prerequisite. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

What is the impact of CVE-2026-9961?

Heap corruption grants the attacker the ability to read process memory, exposing session tokens, credentials, or other sensitive browser data. The attacker can write arbitrary values into heap memory, modifying in-process data structures or injecting executable code. The affected Chrome renderer or browser process can be crashed, disrupting the user's session and any dependent services. Full compromise of the renderer process is achievable, enabling further privilege-escalation attempts against the underlying operating system.

Back to search

HIGHCVE-2026-9961Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9961: Use after free in SurfaceCapture in Google Chrome prior to 148

Use after free in SurfaceCapture in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in the SurfaceCapture component of Google Chrome affects all versions prior to 148.0.7778.216. The vulnerability is reachable over the network and requires no authentication, but the target user must visit a crafted HTML page. Successful exploitation corrupts heap memory, giving an attacker read access to sensitive data, the ability to modify memory contents, and the ability to crash or take control of the affected process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-9961 is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weighs it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox inside each customer organization.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by luring the target to a crafted HTML page served from a remote host.
AuthenticationNot required
No account or credential is needed; the exploit is accessible to any unauthenticated network peer who can reach the target browser.
Victim interactionRequired
The target user must actively visit the attacker-controlled HTML page, making social-engineering delivery (phishing link, malicious ad, redirect) a prerequisite.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

Blast Radius

Heap corruption grants the attacker the ability to read process memory, exposing session tokens, credentials, or other sensitive browser data.
The attacker can write arbitrary values into heap memory, modifying in-process data structures or injecting executable code.
The affected Chrome renderer or browser process can be crashed, disrupting the user's session and any dependent services.
Full compromise of the renderer process is achievable, enabling further privilege-escalation attempts against the underlying operating system.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Chrome or Chromium binary older than 148.0.7778.216 is flagged immediately upon scan, with a severity rating of 8.8 HIGH. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, executes regression tests, and opens a pull request against affected workloads; the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the finding is queued in the team inbox with full CVSS context and a direct link to the upstream Chrome release notes for 148.0.7778.216. Because victim interaction is required for exploitation, teams that cannot patch immediately should consider network-policy controls that restrict which internal services can load arbitrary external URLs in a Chrome-based runtime, reducing the surface available for a crafted-page delivery.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available