ZeroPath at Black Hat USA 2026

Quick Look: Google Chrome XR Use After Free RCE (CVE-2026-9118)

A brief summary of CVE-2026-9118, a high severity use after free vulnerability in Google Chrome's XR component on Windows that enables remote code execution via a crafted HTML page.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Quick Look: Google Chrome XR Use After Free RCE (CVE-2026-9118)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in Google Chrome's XR component on Windows allows remote attackers to execute arbitrary code simply by luring a user to a malicious web page. With Chrome commanding over 68 percent of the global browser market and an estimated 4.16 billion users, CVE-2026-9118 represents a significant exposure surface that warrants prompt attention from security teams managing Windows endpoints.

Technical Information

CVE-2026-9118 is classified under CWE-416 (Use After Free) and carries a CVSS base score of 8.8. The flaw resides in Chrome's XR component, which implements the WebXR Device API used for augmented reality and virtual reality experiences within the browser.

Root Cause

A use after free condition occurs when an application continues to reference a pointer after the underlying memory has been freed or reallocated. If an attacker can influence the contents of the freed memory region (for example, by triggering a heap spray or carefully timed allocation), they can corrupt internal data structures and hijack the program's control flow to achieve arbitrary code execution.

In CVE-2026-9118, this memory mismanagement occurs specifically within the XR subsystem of the Chromium rendering engine. The exact objects, classes, or functions involved have not been publicly disclosed. Google is tracking the issue internally under Chromium issue 498702233, which is likely access restricted until a sufficient percentage of the user base has updated.

Attack Flow

Based on the available advisory information, the exploitation path follows a familiar pattern for browser based use after free vulnerabilities:

  1. The attacker hosts or injects a specially crafted HTML page designed to exercise the vulnerable XR code path.
  2. The victim navigates to the malicious page, either directly or via a redirect from a compromised or attacker controlled site.
  3. Chrome's rendering engine processes the page content and invokes the XR component.
  4. The crafted content triggers the use after free condition, causing Chrome to dereference a dangling pointer.
  5. The attacker leverages control over the freed memory region to execute arbitrary code within the context of the Chrome renderer process.

No proof of concept exploit code has been published in any of the reviewed sources. Deep root cause analysis, including the specific functions and object lifecycles involved, remains undisclosed at this time.

Affected Systems and Versions

The vulnerability specifically affects Google Chrome on Windows. The following table summarizes the affected and fixed versions across platforms:

Operating SystemVulnerable VersionsFixed Version
WindowsAll versions prior to 148.0.7778.179148.0.7778.179
macOSAll versions prior to 148.0.7778.178148.0.7778.178
LinuxAll versions prior to 148.0.7778.178148.0.7778.178

While the CVE description explicitly names Windows as the affected platform, Google's stable channel update includes corresponding fixes for macOS and Linux as well. Windows endpoints should be treated as the highest priority for remediation given the explicit mention in the advisory.

Chrome can be verified as updated by navigating to Help > About Google Chrome, which forces a version check and displays the currently installed build number.

Vendor Security History

Google maintains one of the more aggressive patch cadences in the industry for browser security. The Chrome 148 release that addresses CVE-2026-9118 is notable for its scale: it resolves 127 security vulnerabilities in a single update, more than twice the number fixed in the previous version. Among those 127 fixes are three critical severity flaws alongside numerous high, medium, and low severity issues.

Google paid $138,000 in bug bounties to external researchers for the vulnerabilities resolved in this update cycle, reflecting the company's continued investment in its Vulnerability Reward Program as a mechanism for identifying and remediating security issues before they are exploited.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization