How is CVE-2026-9964 exploited?

Network reachability (required): The attack is delivered over the network, meaning the attacker must be able to reach the victim's browser session or distribution channel remotely to deliver the malicious extension. Authentication (not-required): No authentication or existing account on the target system is required to attempt exploitation. Victim interaction (required): The attacker must socially engineer the target user into installing a crafted malicious Chrome extension before the vulnerability can be triggered. Attack complexity (info): Attack complexity is rated High, meaning exploitation depends on environmental conditions or timing factors beyond the attacker's direct control, reducing reliability.

What is the impact of CVE-2026-9964?

A successful exploit executes arbitrary code in the context of the Chrome process on the affected Mac host. The attacker can read sensitive data accessible to the browser, including stored credentials, session tokens, and browsing history. The attacker can write or modify data accessible to the Chrome process, including locally cached files and extension storage. The Chrome process can be crashed or made unresponsive, disrupting browser availability for the affected user.

Back to search

HIGHCVE-2026-9964Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9964: Use after free in Bluetooth in Google Chrome on Mac prior to 148

Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free vulnerability in the Bluetooth component of Google Chrome on macOS affects all Chrome versions prior to 148.0.7778.216. The flaw is reachable over the network but requires high attack complexity, and no authentication is needed; exploitation requires convincing a user to install a malicious Chrome extension. Successful exploitation gives an attacker arbitrary code execution on the affected host. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9964 is available across every HarborGuard environment, with ingestion from upstream feeds including the Chrome security advisory within minutes of publication. Matching runs against all customer container images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (High) and weighting it further against each environment's compliance policy to prioritize routing. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any image found to carry an affected version of Chrome or Chromium. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attack is delivered over the network, meaning the attacker must be able to reach the victim's browser session or distribution channel remotely to deliver the malicious extension.
AuthenticationNot required
No authentication or existing account on the target system is required to attempt exploitation.
Victim interactionRequired
The attacker must socially engineer the target user into installing a crafted malicious Chrome extension before the vulnerability can be triggered.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation depends on environmental conditions or timing factors beyond the attacker's direct control, reducing reliability.

Blast Radius

A successful exploit executes arbitrary code in the context of the Chrome process on the affected Mac host.
The attacker can read sensitive data accessible to the browser, including stored credentials, session tokens, and browsing history.
The attacker can write or modify data accessible to the Chrome process, including locally cached files and extension storage.
The Chrome process can be crashed or made unresponsive, disrupting browser availability for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection and rebuild capabilities for CVE-2026-9964 are active for any customer image that bundles Chrome or Chromium below version 148.0.7778.216. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs a regression test, and opens a PR against the affected workload; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes. For environments where auto-remediation is not enabled, the rebuilt image at 148.0.7778.216 is staged and waiting for manual promotion. In the interim, network-policy controls that restrict which extension sources users can reach, combined with enterprise extension allowlisting policies enforced at the image or policy layer, serve as compensating controls to reduce the social-engineering surface this vulnerability depends on.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available