How is CVE-2026-9988 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted remotely. Authentication (not-required): No account or credentials on the target system are needed; the attack is fully unauthenticated. Victim interaction (required): The victim must be socially engineered into visiting a crafted HTML page, making user interaction a prerequisite for exploitation. Attack complexity (info): CVSS rates this AC:H, meaning the exploit depends on conditions beyond the attacker's direct control, such as timing, memory layout, or specific runtime state in the WebRTC component.

What is the impact of CVE-2026-9988?

A successful sandbox escape lets the attacker execute code outside Chrome's sandboxed renderer, gaining access to the underlying Linux user session. High confidentiality impact means the attacker reads files, credentials, and session data accessible to the browser process owner. High integrity impact means the attacker writes or modifies files and system state outside the browser sandbox. High availability impact means the attacker can crash or disrupt the host process and dependent services.

Back to search

HIGHCVE-2026-9988Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9988: Use after free in WebRTC in Google Chrome on Linux prior to 148

Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in the WebRTC component of Google Chrome on Linux, affecting all versions prior to 148.0.7778.216. The vulnerability is reachable over the network and requires no authentication, though the attacker must convince a user to visit a crafted HTML page; CVSS scores this at 8.3 High. Successful exploitation allows a remote attacker to escape the Chrome sandbox, gaining the ability to read, modify, or disrupt data beyond the browser's isolation boundary. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9988 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome binary. Any image carrying a Chrome version below 148.0.7778.216 on Linux is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.3 High and weighting it against each environment's compliance policy to determine urgency and escalation path. Triage routing to the appropriate team inbox within a customer org is available as part of the standard pipeline.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can run a rebuild, execute a regression test pass, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page hosted remotely.
AuthenticationNot required
No account or credentials on the target system are needed; the attack is fully unauthenticated.
Victim interactionRequired
The victim must be socially engineered into visiting a crafted HTML page, making user interaction a prerequisite for exploitation.
Attack complexityDetail
CVSS rates this AC:H, meaning the exploit depends on conditions beyond the attacker's direct control, such as timing, memory layout, or specific runtime state in the WebRTC component.

Blast Radius

A successful sandbox escape lets the attacker execute code outside Chrome's sandboxed renderer, gaining access to the underlying Linux user session.
High confidentiality impact means the attacker reads files, credentials, and session data accessible to the browser process owner.
High integrity impact means the attacker writes or modifies files and system state outside the browser sandbox.
High availability impact means the attacker can crash or disrupt the host process and dependent services.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any scanned image that ships Chrome below 148.0.7778.216 on Linux, including internally built images. A patched-image rebuild at 148.0.7778.216 is available for affected environments. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version detail so engineering teams can act manually. Given the sandbox-escape scope of this vulnerability, prioritizing rapid upgrade to 148.0.7778.216 in any image that runs Chrome on Linux is strongly advised.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available