Introduction
A use after free vulnerability in Google Chrome's XR component on Windows allows remote attackers to execute arbitrary code simply by luring a user to a malicious web page. With Chrome commanding over 68 percent of the global browser market and an estimated 4.16 billion users, CVE-2026-9118 represents a significant exposure surface that warrants prompt attention from security teams managing Windows endpoints.
Technical Information
CVE-2026-9118 is classified under CWE-416 (Use After Free) and carries a CVSS base score of 8.8. The flaw resides in Chrome's XR component, which implements the WebXR Device API used for augmented reality and virtual reality experiences within the browser.
Root Cause
A use after free condition occurs when an application continues to reference a pointer after the underlying memory has been freed or reallocated. If an attacker can influence the contents of the freed memory region (for example, by triggering a heap spray or carefully timed allocation), they can corrupt internal data structures and hijack the program's control flow to achieve arbitrary code execution.
In CVE-2026-9118, this memory mismanagement occurs specifically within the XR subsystem of the Chromium rendering engine. The exact objects, classes, or functions involved have not been publicly disclosed. Google is tracking the issue internally under Chromium issue 498702233, which is likely access restricted until a sufficient percentage of the user base has updated.
Attack Flow
Based on the available advisory information, the exploitation path follows a familiar pattern for browser based use after free vulnerabilities:
- The attacker hosts or injects a specially crafted HTML page designed to exercise the vulnerable XR code path.
- The victim navigates to the malicious page, either directly or via a redirect from a compromised or attacker controlled site.
- Chrome's rendering engine processes the page content and invokes the XR component.
- The crafted content triggers the use after free condition, causing Chrome to dereference a dangling pointer.
- The attacker leverages control over the freed memory region to execute arbitrary code within the context of the Chrome renderer process.
No proof of concept exploit code has been published in any of the reviewed sources. Deep root cause analysis, including the specific functions and object lifecycles involved, remains undisclosed at this time.
Affected Systems and Versions
The vulnerability specifically affects Google Chrome on Windows. The following table summarizes the affected and fixed versions across platforms:
| Operating System | Vulnerable Versions | Fixed Version |
|---|---|---|
| Windows | All versions prior to 148.0.7778.179 | 148.0.7778.179 |
| macOS | All versions prior to 148.0.7778.178 | 148.0.7778.178 |
| Linux | All versions prior to 148.0.7778.178 | 148.0.7778.178 |
While the CVE description explicitly names Windows as the affected platform, Google's stable channel update includes corresponding fixes for macOS and Linux as well. Windows endpoints should be treated as the highest priority for remediation given the explicit mention in the advisory.
Chrome can be verified as updated by navigating to Help > About Google Chrome, which forces a version check and displays the currently installed build number.
Vendor Security History
Google maintains one of the more aggressive patch cadences in the industry for browser security. The Chrome 148 release that addresses CVE-2026-9118 is notable for its scale: it resolves 127 security vulnerabilities in a single update, more than twice the number fixed in the previous version. Among those 127 fixes are three critical severity flaws alongside numerous high, medium, and low severity issues.
Google paid $138,000 in bug bounties to external researchers for the vulnerabilities resolved in this update cycle, reflecting the company's continued investment in its Vulnerability Reward Program as a mechanism for identifying and remediating security issues before they are exploited.
References
- NVD Entry for CVE-2026-9118
- CVE Record: CVE-2026-9118
- Chrome Stable Channel Update for Desktop (May 2026)
- Chromium Issue 498702233
- Forbes: Critical New Google Update, 127 Chrome Security Vulnerabilities Confirmed
- PCWorld: Chrome 148 Patches 100+ Vulnerabilities Including 3 Critical Flaws
- Backlinko: Web Browser Market Share Statistics



