How is CVE-2026-9972 exploited?

Network reachability (required): The attacker delivers the crafted HTML page over the network, so the target service or browser must be reachable from a remote origin. Authentication (not-required): No authentication or account credentials are needed to deliver the malicious page to the victim. Victim interaction (required): The victim must visit or be directed to a crafted HTML page, making a social-engineering or drive-by delivery step necessary. Attack complexity (info): Exploitation requires the attacker to have already compromised the renderer process before the sandbox escape can be attempted, introducing a significant environmental prerequisite.

What is the impact of CVE-2026-9972?

A successful attacker breaks out of the Chrome renderer sandbox on macOS, gaining execution capability in a broader host context. Confidentiality impact is high: the attacker reads data accessible outside the sandbox, including files and memory regions belonging to other processes. Integrity impact is high: the attacker writes or modifies data and can tamper with files or process state beyond the sandbox boundary. Availability impact is high: the attacker disrupts or crashes processes and services running outside the sandbox.

Back to search

HIGHCVE-2026-9972Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9972: Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148

Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Uninitialized memory use in the Gamepad component of Google Chrome on macOS allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network but requires the victim to interact with attacker-controlled content, and exploitation involves high attack complexity due to the prerequisite renderer compromise. Successful exploitation gives the attacker full read, write, and disruption capability beyond the sandbox boundary. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-9972 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built images that bundle or layer Chrome on macOS-targeted container workloads.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.3 (High) and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target service or browser must be reachable from a remote origin.
AuthenticationNot required
No authentication or account credentials are needed to deliver the malicious page to the victim.
Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, making a social-engineering or drive-by delivery step necessary.
Attack complexityDetail
Exploitation requires the attacker to have already compromised the renderer process before the sandbox escape can be attempted, introducing a significant environmental prerequisite.

Blast Radius

A successful attacker breaks out of the Chrome renderer sandbox on macOS, gaining execution capability in a broader host context.
Confidentiality impact is high: the attacker reads data accessible outside the sandbox, including files and memory regions belonging to other processes.
Integrity impact is high: the attacker writes or modifies data and can tamper with files or process state beyond the sandbox boundary.
Availability impact is high: the attacker disrupts or crashes processes and services running outside the sandbox.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images within minutes of publication. For environments confirmed to run a Chrome version below 148.0.7778.216 in a container image, a rebuilt image at the patched version is available. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, execute a regression run, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and full CVSS detail are surfaced in the HarborGuard dashboard for team review. Given the sandbox-escape nature of this vulnerability and the high-complexity prerequisite, teams that cannot patch immediately should consider restricting network access to affected workloads and auditing which container images include Chrome on macOS base layers.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available