Introduction
A use after free vulnerability in Google Chrome's WebRTC component, scored at CVSS 8.8, allows a remote attacker to execute arbitrary code simply by getting a user to visit a crafted HTML page. With Chrome commanding 68.02 percent of the global browser market as of April 2026, the potential exposure from CVE-2026-9120 spans billions of endpoints across consumer and enterprise environments alike.
Technical Information
Root Cause: Use After Free in WebRTC
CVE-2026-9120 is classified under CWE-416 (Use After Free). This class of vulnerability occurs when software continues to reference a memory region after that memory has been freed and potentially reallocated for a different purpose. In Chrome's case, the flaw resides within the WebRTC component, which is responsible for real time audio/video communication and data channel management.
WebRTC is particularly susceptible to use after free conditions because its sessions involve complex, asynchronous object lifecycles. Multiple threads concurrently manage peer connections, media streams, and network transports. When a WebRTC object is freed but a dangling reference to it persists, a subsequent dereference can access memory that has been reallocated for an entirely different purpose. An attacker who can influence what data occupies that reallocated memory region gains a powerful primitive for achieving arbitrary code execution.
Attack Flow
The exploitation path for CVE-2026-9120 is notably accessible:
- The attacker crafts a malicious HTML page designed to trigger specific WebRTC operations that provoke the use after free condition.
- The victim navigates to the attacker controlled page (or is redirected to it via phishing, malvertising, or a compromised legitimate site).
- Chrome's WebRTC implementation processes the page content, freeing a WebRTC object while a reference to it still exists.
- The attacker's crafted page manipulates memory allocation to place controlled data into the freed memory region.
- When Chrome dereferences the stale pointer, it operates on attacker controlled data, enabling arbitrary code execution within the context of the Chrome renderer process.
No authentication, special privileges, or extensive user interaction beyond visiting the page is required. The Chromium security team rated the severity of this flaw as High.
| Vulnerability Attribute | Detail |
|---|---|
| CVE Identifier | CVE-2026-9120 |
| CVSS Score | 8.8 |
| Weakness Type | CWE-416 Use After Free |
| Affected Component | WebRTC in Google Chrome |
| Attack Vector | Crafted HTML page (network, no authentication) |
| Impact | Remote Arbitrary Code Execution |
Patch Information
Google addressed CVE-2026-9120 through a Stable channel update for Chrome desktop released on May 20, 2026. The patched versions are:
- Windows and macOS: 148.0.7778.178 or 148.0.7778.179
- Linux: 148.0.7778.178
The CVE description on NVD explicitly scopes the vulnerability to versions "prior to 148.0.7778.179," confirming that this build is the boundary where the fix lands. The Chocolatey package repository also confirmed availability of version 148.0.7778.179 as of May 20, 2026.
Chrome updates happen in the background automatically, but the update is only applied when the user closes and reopens the browser. Organizations managing fleets of endpoints should enforce browser restarts to ensure the patch takes effect.
To manually verify the update:
- Open Chrome.
- Click the three dots in the top right corner.
- Click Help, then select About Chrome.
- Chrome will check for updates and display the current version number.
Because the Chromium bug tracker entry (Issue #504620824) remains restricted, the source level commit details and diff for this fix are not yet publicly accessible. Google keeps security bug details locked down until a significant percentage of users have updated, preventing attackers from reverse engineering the patch before the fix is widely deployed.
Affected Systems and Versions
All versions of Google Chrome prior to 148.0.7778.179 are affected. Specifically:
- Google Chrome for Windows: all versions prior to 148.0.7778.179
- Google Chrome for macOS: all versions prior to 148.0.7778.179
- Google Chrome for Linux: all versions prior to 148.0.7778.178
Given Chrome's 68.02 percent global market share, the affected population is substantial. Other Chromium based browsers that incorporate the same WebRTC codebase may also be affected, though vendor specific advisories should be consulted for confirmation.
Vendor Security History
Google maintains a highly active security posture for Chrome, operating the Chrome Vulnerability Reward Program that provides monetary awards and public recognition to researchers who report flaws. Historically, Chrome shipped a new milestone every six weeks to deliver security and stability improvements.
Despite these investments, Chrome's complex C++ codebase continues to produce memory safety vulnerabilities. Earlier in 2026, Google patched multiple actively exploited zero days:
- CVE-2026-5281: an actively exploited flaw in the WebGPU Dawn component
- CVE-2026-2441: an actively exploited vulnerability in the CSS component
- CVE-2026-4445 and CVE-2026-4446: both use after free vulnerabilities in WebRTC, fixed in earlier Chrome 146.x releases
The recurrence of use after free bugs specifically in WebRTC underscores the inherent difficulty of managing memory safety in a component with highly concurrent, asynchronous object lifecycles.
References
- NVD: CVE-2026-9120
- CVE Record: CVE-2026-9120
- Chrome Releases: Stable Channel Update for Desktop (May 2026)
- Chromium Bug Tracker: Issue 504620824
- Chocolatey: Google Chrome Package
- CWE-416: Use After Free (MITRE)
- StatCounter: Browser Market Share Worldwide
- Google Chrome Update Instructions
- Chromium Blog: Speeding Up Release Cycle
- Chrome Vulnerability Reward Program FAQ
- Google Fixes Fourth Actively Exploited Chrome Zero Day of 2026



