How is CVE-2026-9970 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the targeted browser must be able to reach an attacker-controlled web resource. Authentication (not-required): No account or credential is needed; the attacker only needs to get the victim to load a page. Victim interaction (required): A user must visit or be redirected to the crafted HTML page, making a social-engineering or malvertising step a necessary part of the attack chain. Attack complexity (info): Attack complexity is HIGH because a successful sandbox escape requires the attacker to have already compromised the Chrome renderer process, adding a significant prerequisite condition beyond simply serving a malicious page.

What is the impact of CVE-2026-9970?

A successful attacker escapes the Chrome sandbox, breaking the isolation boundary intended to contain renderer-level compromises. With sandbox escape achieved, the attacker gains read access to files and data outside the browser's sandboxed scope, including session tokens, locally stored credentials, and user files. The attacker can write or modify data on the host, including injecting files or altering application state outside the browser process. The attacker can crash or destabilize processes outside the sandbox, causing service disruption beyond the browser tab in which the exploit runs.

Back to search

HIGHCVE-2026-9970Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9970: Use after free in WebGL in Google Chrome prior to 148

Use after free in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in the WebGL component of Google Chrome (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox by luring a user to a crafted HTML page. The vulnerability is reachable over the network but requires user interaction and benefits from a pre-existing renderer compromise, raising the bar for exploitation while still enabling full confidentiality, integrity, and availability impact across the browser scope. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9970 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication by ingesting from upstream feeds including the Chrome release advisory. This capability covers custom-built images that bundle a Chromium or Chrome binary, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 HIGH and weighting it further against each customer organization's compliance policy (for example, stricter thresholds for internet-facing workloads) before routing findings to the appropriate team inbox inside that environment.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available in HarborGuard the moment the fix version is indexed from upstream. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite against the updated image, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted browser must be able to reach an attacker-controlled web resource.
AuthenticationNot required
No account or credential is needed; the attacker only needs to get the victim to load a page.
Victim interactionRequired
A user must visit or be redirected to the crafted HTML page, making a social-engineering or malvertising step a necessary part of the attack chain.
Attack complexityDetail
Attack complexity is HIGH because a successful sandbox escape requires the attacker to have already compromised the Chrome renderer process, adding a significant prerequisite condition beyond simply serving a malicious page.

Blast Radius

A successful attacker escapes the Chrome sandbox, breaking the isolation boundary intended to contain renderer-level compromises.
With sandbox escape achieved, the attacker gains read access to files and data outside the browser's sandboxed scope, including session tokens, locally stored credentials, and user files.
The attacker can write or modify data on the host, including injecting files or altering application state outside the browser process.
The attacker can crash or destabilize processes outside the sandbox, causing service disruption beyond the browser tab in which the exploit runs.

How HarborGuard Handles This

Available on HarborGuard: any image found to bundle a Chrome or Chromium binary older than 148.0.7778.216 will surface this CVE as a HIGH-severity finding, scored at CVSS 8.3, within minutes of the advisory being ingested. A patched-image rebuild targeting version 148.0.7778.216 is available for affected images. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute a regression test run, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with the CVSS score, vector breakdown, and fix-version detail attached for fast human review.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available