How is CVE-2026-9990 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's browser must be able to reach the attacker-controlled host. Authentication (not-required): No account or credential is needed on any system; the attacker only needs to get the victim to visit a page. Victim interaction (required): The victim must perform specific UI gestures in the browser after loading the crafted page, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is high, meaning reliable exploitation depends on timing, heap layout, or other environmental factors that the attacker cannot fully control.

What is the impact of CVE-2026-9990?

A successful attacker reads high-confidentiality browser data such as stored credentials, session tokens, and page content from the renderer process. The attacker can modify in-memory data structures, enabling tampering with rendered content or injecting behavior into the running browser session. Heap corruption crashes the affected Chrome process, causing loss of the current browsing session and any unsaved state. All three impacts can occur in a single exploitation attempt, giving the attacker a broad foothold within the browser's security boundary on the affected Mac host.

Back to search

HIGHCVE-2026-9990Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9990: Use after free in WebAppInstalls in Google Chrome on Mac prior to 148

Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability affects Google Chrome on macOS in the WebAppInstalls component, present in versions prior to 148.0.7778.216. The flaw is reachable over the network but requires a victim to perform specific UI gestures after visiting a crafted HTML page; no authentication is needed from the attacker. Successful exploitation corrupts heap memory, enabling an attacker to read sensitive data, tamper with it, or crash the browser process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-9990 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector, and per-environment compliance policy weighting is applied to route findings to the appropriate team inbox inside each customer organization.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's browser must be able to reach the attacker-controlled host.
AuthenticationNot required
No account or credential is needed on any system; the attacker only needs to get the victim to visit a page.
Victim interactionRequired
The victim must perform specific UI gestures in the browser after loading the crafted page, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is high, meaning reliable exploitation depends on timing, heap layout, or other environmental factors that the attacker cannot fully control.

Blast Radius

A successful attacker reads high-confidentiality browser data such as stored credentials, session tokens, and page content from the renderer process.
The attacker can modify in-memory data structures, enabling tampering with rendered content or injecting behavior into the running browser session.
Heap corruption crashes the affected Chrome process, causing loss of the current browsing session and any unsaved state.
All three impacts can occur in a single exploitation attempt, giving the attacker a broad foothold within the browser's security boundary on the affected Mac host.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-9990 is matched against customer images within minutes of publication, covering any image that packages or distributes Google Chrome on macOS. Where an affected image is identified, a rebuild pinned to the fixed version 148.0.7778.216 is queued automatically. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the appropriate team inbox with CVSS scoring and fix-version detail attached, so engineers can act on it directly. Because a fix version is available upstream, no extended monitoring window is expected, but HarborGuard will re-check the advisory on each ingest cycle to confirm version availability remains stable.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available