How is CVE-2026-9998 exploited?

Network reachability (required): The attacker delivers the exploit over the network, requiring the victim's browser to reach a remotely hosted crafted HTML page. Authentication (not-required): No account or credential is needed; the attacker requires only that the victim browse to the malicious page. Victim interaction (required): The victim must visit or otherwise interact with a crafted HTML page, making this exploit dependent on a social-engineering or malicious-ad delivery step. Attack complexity (info): Attack complexity is rated High, meaning this is a chained exploit that presupposes the attacker has already compromised the Chrome renderer process before the sandbox escape can be attempted.

What is the impact of CVE-2026-9998?

Escapes the Chrome sandbox, giving the attacker arbitrary code execution in the context of the browser process on the host operating system. Reads files and secrets accessible to the user running Chrome, including stored credentials, session tokens, and local application data. Writes or modifies files on the host, allowing persistence mechanisms such as dropped binaries or modified startup scripts. Crashes or destabilizes the affected Chrome process and any dependent services running under the same user account.

Back to search

HIGHCVE-2026-9998Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9998: Integer overflow in Skia in Google Chrome prior to 148

Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

An integer overflow in the Skia graphics library within Google Chrome (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The exploit requires the victim to visit or interact with a malicious page, and the attacker must also have prior control of the renderer, making this a chained attack rather than a single-step exploit. Successful exploitation grants the attacker code execution outside the Chrome sandbox, elevating a renderer compromise into a full host-level breach. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9998 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Chrome advisory channel. Coverage extends to custom-built container images that bundle Chrome or Chromium, not only upstream base images.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 8.3 (High) and applies per-environment compliance policy weighting to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network, requiring the victim's browser to reach a remotely hosted crafted HTML page.
AuthenticationNot required
No account or credential is needed; the attacker requires only that the victim browse to the malicious page.
Victim interactionRequired
The victim must visit or otherwise interact with a crafted HTML page, making this exploit dependent on a social-engineering or malicious-ad delivery step.
Attack complexityDetail
Attack complexity is rated High, meaning this is a chained exploit that presupposes the attacker has already compromised the Chrome renderer process before the sandbox escape can be attempted.

Blast Radius

Escapes the Chrome sandbox, giving the attacker arbitrary code execution in the context of the browser process on the host operating system.
Reads files and secrets accessible to the user running Chrome, including stored credentials, session tokens, and local application data.
Writes or modifies files on the host, allowing persistence mechanisms such as dropped binaries or modified startup scripts.
Crashes or destabilizes the affected Chrome process and any dependent services running under the same user account.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9998 activates automatically as images are scanned, flagging any container that packages Chrome or Chromium below version 148.0.7778.216 and surfacing the finding as High severity with its full CVSS 8.3 score. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs a regression test pass, and opens a pull request against the affected workload; for High-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and test results are staged and waiting so the engineer reviewing the PR has everything needed to merge quickly. Because this vulnerability requires a chained renderer compromise plus victim interaction, teams that cannot immediately patch should also consider network-policy controls that limit egress from browser-embedding containers, reducing the attacker's ability to exfiltrate data even if a renderer is compromised.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available