CVE-2026-9976: Inappropriate implementation in USB in Google Chrome prior to 148
Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
HarborGuard Analysis
HarborGuard analysisSynopsis
An inappropriate implementation flaw in the USB subsystem of Google Chrome prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code. The attacker reaches the vulnerability over the network without any authentication, but must convince a user to visit a crafted HTML page. Successful exploitation gives the attacker full code execution in the context of the browser process, with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-9976 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Google Chrome. All registry scans and pipeline checks are capable of surfacing affected Chrome versions below 148.0.7778.216.
AvailableHarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing can direct findings to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network, typically by serving a crafted HTML page from a remote host.
- AuthenticationNot required
No account or credential is needed; the attacker sends the malicious page to any user without authenticating to the target.
- Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, requiring a social-engineering step such as a phishing link or malicious ad.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions, race conditions, or memory-layout requirements on the attacker.
Blast Radius
- The attacker executes arbitrary code in the Chrome browser process on the victim's machine.
- Session tokens, saved credentials, and any data accessible to the browser process can be read directly.
- The attacker can write or modify files and browser state that the Chrome process has access to.
- The browser process can be crashed or rendered unresponsive, disrupting the user's session.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of ingestion for any image containing Chrome below 148.0.7778.216, scored at CVSS 8.8 HIGH and routed per each environment's compliance policy. Where compliance policy permits, a rebuilt image pinned to the fixed version 148.0.7778.216 is made available, and for customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test run, and opens a PR against affected workloads automatically. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls such as network-policy restrictions on outbound browsing contexts, content-security-policy enforcement at the edge, and user-awareness measures can reduce exposure.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 148.0.7778.216
- Affected Products
- 1
Fix available
- Google / Chrome< 148.0.7778.216 (from 148.0.7778.216)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H