Introduction
A use after free vulnerability in Google Chrome's GPU process on Windows gives remote attackers the ability to execute arbitrary code inside the browser sandbox, requiring nothing more than a victim visiting a crafted HTML page. With Chrome commanding roughly two thirds of the global browser market, CVE-2026-9112 represents a significant attack surface that defenders across enterprise and consumer environments need to address promptly.
Technical Information
CVE-2026-9112 is classified under CWE-416: Use After Free. This class of memory corruption vulnerability occurs when an application continues to reference a pointer to memory after that memory has been freed or reallocated. Attackers can leverage use after free conditions to crash applications, escalate privileges, or execute arbitrary code on affected endpoints.
In this case, the vulnerable component is Chrome's GPU process on Windows. The GPU process is responsible for rendering graphical content, including WebGL, hardware accelerated CSS, and other GPU intensive operations. When a vulnerable Chrome client renders a specially crafted HTML page, the GPU process incorrectly accesses memory that has already been freed, creating a dangling pointer that an attacker can manipulate.
Attack Flow
The exploitation of CVE-2026-9112 follows a straightforward remote attack pattern:
- The attacker crafts a malicious HTML page designed to trigger the use after free condition in Chrome's GPU component.
- The attacker delivers this page to a victim by hosting it on a controlled domain, injecting it into a compromised website, or distributing the link through phishing or other social engineering.
- When the victim opens the page in a vulnerable version of Chrome on Windows, the browser's GPU process begins rendering the page content.
- During rendering, the GPU component accesses memory that has already been freed, producing a dangling pointer scenario.
- The attacker's crafted page manipulates this freed memory region, enabling arbitrary code execution within the Chrome sandbox.
The code execution is constrained to the Chrome sandbox, which limits the immediate blast radius. However, use after free vulnerabilities are a well understood class of memory corruption bugs that threat actors frequently chain with sandbox escape techniques to achieve full system compromise. The CVSS score of 8.8 reflects the severity of remote code execution even within the sandbox boundary, as it can serve as a reliable first stage in a multi-step attack chain.
Broader GPU Vulnerability Pattern in Chrome 148
The Chrome 148 release cycle revealed a cluster of GPU related memory safety issues, suggesting systemic complexity in the GPU rendering code paths:
| CVE Identifier | Component | Vulnerability Type | Fixed In |
|---|---|---|---|
| CVE-2026-9112 | GPU | Use After Free | 148.0.7778.179 |
| CVE-2026-8546 | GPU | Out of bounds read | 148.0.7778.168 |
| CVE-2026-8581 | GPU | Use After Free | 148.0.7778.168 |
These recurring issues in the same component across a single release cycle warrant ongoing attention from both Google's security team and organizations monitoring their Chrome deployments.
Affected Systems and Versions
The vulnerability affects Google Chrome on Windows in all versions prior to 148.0.7778.179. The fix was delivered in the Chrome Stable channel update released on May 19, 2026. Other platforms (macOS, Linux, ChromeOS) are not listed as affected based on the available advisory data.
Vendor Security History
Google maintains a rapid and consistent patching cadence for Chrome. The Chrome 148 update alone included fixes for 127 security vulnerabilities, including three critical flaws. While the sheer volume of vulnerabilities is notable, Google's ability to discover and remediate these issues within regular release cycles reflects a mature vulnerability management program.
The GPU component has been a recurring source of memory safety issues. In addition to CVE-2026-9112, the same release cycle addressed CVE-2026-8546 and CVE-2026-8581, both also in the GPU component. Beyond this release, CVE-2026-5281, a use after free in Chrome's Dawn WebGPU component, was confirmed as an in the wild zero day, demonstrating that attackers are actively targeting this area of the browser.
References
- Stable Channel Update for Desktop (Chrome Releases)
- Chromium Issue Tracker: 489791425
- CWE-416: Use After Free
- CVE-2026-8546 (NVD)
- Chrome 148 Patches 100+ Vulnerabilities (PCWorld)
- Critical New Google Update: 127 Chrome Security Vulnerabilities Confirmed (Forbes)
- Browser Patching Should Not Wait for Chrome Restarts
- CVE-2026-5281: Chrome Dawn Flaw Sparks In the Wild Zero Day Attacks (HivePro)
- What Is a Use After Free Vulnerability? (Automox)
- Google CVEs and Security Vulnerabilities (OpenCVE)



