ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-9120, a Use After Free in Google Chrome's WebRTC Component Enabling Remote Code Execution

A brief summary of CVE-2026-9120, a high severity use after free vulnerability in Google Chrome's WebRTC component that allows remote code execution via a crafted HTML page. Includes patch information and affected version details.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Quick Look: CVE-2026-9120, a Use After Free in Google Chrome's WebRTC Component Enabling Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A use after free vulnerability in Google Chrome's WebRTC component, scored at CVSS 8.8, allows a remote attacker to execute arbitrary code simply by getting a user to visit a crafted HTML page. With Chrome commanding 68.02 percent of the global browser market as of April 2026, the potential exposure from CVE-2026-9120 spans billions of endpoints across consumer and enterprise environments alike.

Technical Information

Root Cause: Use After Free in WebRTC

CVE-2026-9120 is classified under CWE-416 (Use After Free). This class of vulnerability occurs when software continues to reference a memory region after that memory has been freed and potentially reallocated for a different purpose. In Chrome's case, the flaw resides within the WebRTC component, which is responsible for real time audio/video communication and data channel management.

WebRTC is particularly susceptible to use after free conditions because its sessions involve complex, asynchronous object lifecycles. Multiple threads concurrently manage peer connections, media streams, and network transports. When a WebRTC object is freed but a dangling reference to it persists, a subsequent dereference can access memory that has been reallocated for an entirely different purpose. An attacker who can influence what data occupies that reallocated memory region gains a powerful primitive for achieving arbitrary code execution.

Attack Flow

The exploitation path for CVE-2026-9120 is notably accessible:

  1. The attacker crafts a malicious HTML page designed to trigger specific WebRTC operations that provoke the use after free condition.
  2. The victim navigates to the attacker controlled page (or is redirected to it via phishing, malvertising, or a compromised legitimate site).
  3. Chrome's WebRTC implementation processes the page content, freeing a WebRTC object while a reference to it still exists.
  4. The attacker's crafted page manipulates memory allocation to place controlled data into the freed memory region.
  5. When Chrome dereferences the stale pointer, it operates on attacker controlled data, enabling arbitrary code execution within the context of the Chrome renderer process.

No authentication, special privileges, or extensive user interaction beyond visiting the page is required. The Chromium security team rated the severity of this flaw as High.

Vulnerability AttributeDetail
CVE IdentifierCVE-2026-9120
CVSS Score8.8
Weakness TypeCWE-416 Use After Free
Affected ComponentWebRTC in Google Chrome
Attack VectorCrafted HTML page (network, no authentication)
ImpactRemote Arbitrary Code Execution

Patch Information

Google addressed CVE-2026-9120 through a Stable channel update for Chrome desktop released on May 20, 2026. The patched versions are:

  • Windows and macOS: 148.0.7778.178 or 148.0.7778.179
  • Linux: 148.0.7778.178

The CVE description on NVD explicitly scopes the vulnerability to versions "prior to 148.0.7778.179," confirming that this build is the boundary where the fix lands. The Chocolatey package repository also confirmed availability of version 148.0.7778.179 as of May 20, 2026.

Chrome updates happen in the background automatically, but the update is only applied when the user closes and reopens the browser. Organizations managing fleets of endpoints should enforce browser restarts to ensure the patch takes effect.

To manually verify the update:

  1. Open Chrome.
  2. Click the three dots in the top right corner.
  3. Click Help, then select About Chrome.
  4. Chrome will check for updates and display the current version number.

Because the Chromium bug tracker entry (Issue #504620824) remains restricted, the source level commit details and diff for this fix are not yet publicly accessible. Google keeps security bug details locked down until a significant percentage of users have updated, preventing attackers from reverse engineering the patch before the fix is widely deployed.

Affected Systems and Versions

All versions of Google Chrome prior to 148.0.7778.179 are affected. Specifically:

  • Google Chrome for Windows: all versions prior to 148.0.7778.179
  • Google Chrome for macOS: all versions prior to 148.0.7778.179
  • Google Chrome for Linux: all versions prior to 148.0.7778.178

Given Chrome's 68.02 percent global market share, the affected population is substantial. Other Chromium based browsers that incorporate the same WebRTC codebase may also be affected, though vendor specific advisories should be consulted for confirmation.

Vendor Security History

Google maintains a highly active security posture for Chrome, operating the Chrome Vulnerability Reward Program that provides monetary awards and public recognition to researchers who report flaws. Historically, Chrome shipped a new milestone every six weeks to deliver security and stability improvements.

Despite these investments, Chrome's complex C++ codebase continues to produce memory safety vulnerabilities. Earlier in 2026, Google patched multiple actively exploited zero days:

  • CVE-2026-5281: an actively exploited flaw in the WebGPU Dawn component
  • CVE-2026-2441: an actively exploited vulnerability in the CSS component
  • CVE-2026-4445 and CVE-2026-4446: both use after free vulnerabilities in WebRTC, fixed in earlier Chrome 146.x releases

The recurrence of use after free bugs specifically in WebRTC underscores the inherent difficulty of managing memory safety in a component with highly concurrent, asynchronous object lifecycles.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization