ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-9112, a Use After Free in Google Chrome's GPU Component Enabling Sandbox Code Execution

A brief summary of CVE-2026-9112, a high severity use after free vulnerability in Google Chrome's GPU process on Windows that allows remote code execution inside the sandbox via a crafted HTML page.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Quick Look: CVE-2026-9112, a Use After Free in Google Chrome's GPU Component Enabling Sandbox Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in Google Chrome's GPU process on Windows gives remote attackers the ability to execute arbitrary code inside the browser sandbox, requiring nothing more than a victim visiting a crafted HTML page. With Chrome commanding roughly two thirds of the global browser market, CVE-2026-9112 represents a significant attack surface that defenders across enterprise and consumer environments need to address promptly.

Technical Information

CVE-2026-9112 is classified under CWE-416: Use After Free. This class of memory corruption vulnerability occurs when an application continues to reference a pointer to memory after that memory has been freed or reallocated. Attackers can leverage use after free conditions to crash applications, escalate privileges, or execute arbitrary code on affected endpoints.

In this case, the vulnerable component is Chrome's GPU process on Windows. The GPU process is responsible for rendering graphical content, including WebGL, hardware accelerated CSS, and other GPU intensive operations. When a vulnerable Chrome client renders a specially crafted HTML page, the GPU process incorrectly accesses memory that has already been freed, creating a dangling pointer that an attacker can manipulate.

Attack Flow

The exploitation of CVE-2026-9112 follows a straightforward remote attack pattern:

  1. The attacker crafts a malicious HTML page designed to trigger the use after free condition in Chrome's GPU component.
  2. The attacker delivers this page to a victim by hosting it on a controlled domain, injecting it into a compromised website, or distributing the link through phishing or other social engineering.
  3. When the victim opens the page in a vulnerable version of Chrome on Windows, the browser's GPU process begins rendering the page content.
  4. During rendering, the GPU component accesses memory that has already been freed, producing a dangling pointer scenario.
  5. The attacker's crafted page manipulates this freed memory region, enabling arbitrary code execution within the Chrome sandbox.

The code execution is constrained to the Chrome sandbox, which limits the immediate blast radius. However, use after free vulnerabilities are a well understood class of memory corruption bugs that threat actors frequently chain with sandbox escape techniques to achieve full system compromise. The CVSS score of 8.8 reflects the severity of remote code execution even within the sandbox boundary, as it can serve as a reliable first stage in a multi-step attack chain.

Broader GPU Vulnerability Pattern in Chrome 148

The Chrome 148 release cycle revealed a cluster of GPU related memory safety issues, suggesting systemic complexity in the GPU rendering code paths:

CVE IdentifierComponentVulnerability TypeFixed In
CVE-2026-9112GPUUse After Free148.0.7778.179
CVE-2026-8546GPUOut of bounds read148.0.7778.168
CVE-2026-8581GPUUse After Free148.0.7778.168

These recurring issues in the same component across a single release cycle warrant ongoing attention from both Google's security team and organizations monitoring their Chrome deployments.

Affected Systems and Versions

The vulnerability affects Google Chrome on Windows in all versions prior to 148.0.7778.179. The fix was delivered in the Chrome Stable channel update released on May 19, 2026. Other platforms (macOS, Linux, ChromeOS) are not listed as affected based on the available advisory data.

Vendor Security History

Google maintains a rapid and consistent patching cadence for Chrome. The Chrome 148 update alone included fixes for 127 security vulnerabilities, including three critical flaws. While the sheer volume of vulnerabilities is notable, Google's ability to discover and remediate these issues within regular release cycles reflects a mature vulnerability management program.

The GPU component has been a recurring source of memory safety issues. In addition to CVE-2026-9112, the same release cycle addressed CVE-2026-8546 and CVE-2026-8581, both also in the GPU component. Beyond this release, CVE-2026-5281, a use after free in Chrome's Dawn WebGPU component, was confirmed as an in the wild zero day, demonstrating that attackers are actively targeting this area of the browser.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization