CVE-2026-9973: Out of bounds write in V8 in Google Chrome prior to 148
Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
HarborGuard Analysis
HarborGuard analysisSynopsis
An out-of-bounds write vulnerability in V8, the JavaScript engine embedded in Google Chrome, affects all Chrome versions prior to 148.0.7778.216. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation gives a remote attacker arbitrary code execution inside Chrome's sandbox. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-9973 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary. Coverage extends to both registry scans and active pipeline builds.
AvailableHarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to determine escalation priority. Routing to the appropriate team inbox within each customer organization is available as part of the standard triage pipeline.
AvailableA patched-image rebuild pinned to Chrome 148.0.7778.216 is available for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard can trigger the rebuild, run a regression test suite, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable via normal browser traffic.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The victim must navigate to or be socially engineered into visiting the attacker-controlled HTML page for the exploit to trigger.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental prerequisites.
Blast Radius
- The attacker executes arbitrary code within the Chrome renderer sandbox, gaining full control of the sandboxed process.
- Confidential data processed by the browser, including stored credentials, session tokens, and page content, is exposed to the attacker.
- The attacker can write to memory regions accessible within the sandbox, enabling modification of in-process state and data.
- The affected Chrome process can be crashed or destabilized, causing loss of browser availability for the user.
How HarborGuard Handles This
Available on HarborGuard: any container image found to include a Chrome or Chromium binary older than 148.0.7778.216 is flagged against this CVE within minutes of the advisory entering HarborGuard's ingest pipeline. For customers with auto-remediation enabled, a rebuilt image at the fixed version becomes available, paired with a regression-test run and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and triage report are staged and routed to the appropriate team inbox for review. Customers who cannot immediately update should consider network-policy controls that restrict which workloads can spawn or embed a Chrome process, reducing exposure while the patched image is validated.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 148.0.7778.216
- Affected Products
- 1
Fix available
- Google / Chrome< 148.0.7778.216 (from 148.0.7778.216)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H