How is CVE-2026-9974 exploited?

Network reachability (required): The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host. Authentication (not-required): No account or credential is needed; the attack can be launched against any user who browses to a malicious page. Victim interaction (required): The victim must open or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Exploitation is rated high complexity because it requires the attacker to have already compromised the Chrome renderer process before the GPU out-of-bounds write can be used for sandbox escape.

What is the impact of CVE-2026-9974?

Attacker escapes the Chrome sandbox and executes arbitrary code at the privilege level of the browser process on the victim host. Full read access to files and secrets accessible to the browser user account, including stored credentials, cookies, and session tokens. Attacker can write or modify files on the host filesystem within the browser user's permission scope. The host process can be crashed or made unstable, causing a denial of service for the affected user session.

Back to search

HIGHCVE-2026-9974Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9974: Out of bounds write in GPU in Google Chrome prior to 148

Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds write vulnerability in the GPU component of Google Chrome prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox by delivering a crafted HTML page. The attack requires network reachability, no authentication, victim interaction (opening a page), and a high-complexity precondition (prior renderer compromise). Successful exploitation gives the attacker full code execution outside the browser sandbox, with high impact on confidentiality, integrity, and availability. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-9974 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle or ship Chrome. Ingestion pulls from upstream advisory feeds automatically so no manual configuration is needed to gain coverage.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weighting it further against each customer environment's compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available in HarborGuard the moment the fix version is confirmed in upstream package feeds. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite against it, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host.
AuthenticationNot required
No account or credential is needed; the attack can be launched against any user who browses to a malicious page.
Victim interactionRequired
The victim must open or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Exploitation is rated high complexity because it requires the attacker to have already compromised the Chrome renderer process before the GPU out-of-bounds write can be used for sandbox escape.

Blast Radius

Attacker escapes the Chrome sandbox and executes arbitrary code at the privilege level of the browser process on the victim host.
Full read access to files and secrets accessible to the browser user account, including stored credentials, cookies, and session tokens.
Attacker can write or modify files on the host filesystem within the browser user's permission scope.
The host process can be crashed or made unstable, causing a denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9974 is active for any image that ships or depends on a Chrome build older than 148.0.7778.216. Where a customer's compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For customers who have not enabled auto-remediation, the rebuilt image at 148.0.7778.216 is still made available in the HarborGuard registry so teams can pull and deploy it on their own schedule. Because this exploit chain requires a prior renderer compromise, teams that cannot immediately patch may reduce risk by enforcing strict Content Security Policy headers and network-egress controls on workloads that embed Chrome, limiting an attacker's ability to establish the renderer foothold that this vulnerability depends on.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available