Introduction
A use after free vulnerability in Google Chrome's DOM engine, tracked as CVE-2026-9126, allows remote attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. With Chrome holding roughly 68 percent of the global browser market as of April 2026, even a sandboxed code execution primitive in this browser represents a meaningful risk, particularly when it could serve as the first link in an exploit chain targeting enterprise endpoints.
Technical Information
CVE-2026-9126 is classified under CWE-416 (Use After Free) and resides in Chrome's Document Object Model engine. The NVD assigns it a CVSS 3.1 base score of 8.8 (High), while the Chromium security team rates it at Medium severity. This discrepancy is worth noting: the NVD score reflects the general impact of remote code execution, whereas the Chromium rating accounts for the fact that execution is confined to the renderer sandbox.
Root Cause
A use after free condition occurs when a program continues to reference a memory region through a pointer after that region has been deallocated. In the context of Chrome's DOM engine, this means a DOM object is freed while a dangling pointer to it still exists elsewhere in the codebase. If an attacker can arrange for the freed heap region to be reclaimed by attacker controlled data (a technique commonly referred to as heap spraying or heap grooming), dereferencing the stale pointer will operate on the attacker's data rather than the original object. This can redirect execution flow and enable arbitrary code execution.
The patch for this vulnerability would ensure proper object lifetime management: either extending the reference so the object is not prematurely freed, or nullifying the dangling pointer so it cannot be dereferenced after deallocation.
Attack Flow
- Delivery: The attacker hosts or injects a crafted HTML page on a web server they control, or compromises a legitimate site to serve the payload.
- Trigger: A victim navigates to the malicious page using a vulnerable version of Google Chrome (any version prior to 148.0.7778.179).
- Exploitation: The crafted HTML manipulates DOM objects in a way that causes one to be freed while a reference to it persists. The attacker's page then reclaims the freed memory with controlled data.
- Code Execution: When Chrome dereferences the dangling pointer, it operates on the attacker's data, enabling arbitrary code execution within the renderer process sandbox.
- Sandbox Constraint: The attacker's code runs inside Chrome's sandbox. Achieving full system compromise would require chaining this vulnerability with a separate sandbox escape exploit.
No user interaction beyond visiting the page is required. The attack is entirely network based.
Severity Discrepancy
It is notable that the CVSS 3.1 score of 8.8 and the Chromium team's own Medium severity rating diverge significantly. The Chromium rating likely reflects the sandbox containment: while the attacker gains code execution, they remain confined to the renderer process. Google's Vulnerability Reward Program reinforces this perspective; a use after free reachable from web contents without a sandbox escape earns USD 2,500, whereas a full chain exploit (including sandbox escape) commands up to USD 250,000.
Patch Information
Google addressed CVE-2026-9126 as part of the Chrome Stable Channel update published on May 20, 2026. The fix shipped in the following versions:
| Operating System | Patched Chrome Version |
|---|---|
| Windows | 148.0.7778.178 or 148.0.7778.179 |
| macOS | 148.0.7778.178 or 148.0.7778.179 |
| Linux | 148.0.7778.178 |
Any Chrome version prior to these builds remains vulnerable.
The specific source level changes that constitute the fix are tracked in the Chromium issue tracker at issues.chromium.org/issues/496280532. As is standard practice for Chromium security bugs, the issue is currently access restricted. Google keeps the bug details and associated code diffs under embargo until a significant portion of the user base has updated to the patched build. This is a deliberate defensive measure: publishing exploit relevant implementation details before most users are protected would widen the attack window. Once the restriction is lifted, the issue page will expose the exact commits, code reviews, and regression tests introduced to remediate the flaw.
Because Chrome auto updates on most desktop installations, many users will already have received this fix silently. However, enterprise environments or systems with update policies that delay rollouts should explicitly verify their deployed Chrome version and push the update accordingly. Network defenders should also ensure that standard web filtering and malicious domain blocking protections are active to reduce the likelihood of users reaching crafted HTML pages.
Affected Systems and Versions
The vulnerability affects all versions of Google Chrome prior to the following patched builds:
- Windows and macOS: Versions prior to 148.0.7778.178 / 148.0.7778.179
- Linux: Versions prior to 148.0.7778.178
Any Chromium based browser that incorporates the affected DOM engine code may also be impacted, though the official advisory specifically names Google Chrome.
Vendor Security History
Google maintains a mature security program around Chromium, including investments in memory safety technologies like MiraclePtr, which is designed to prevent exploitation of use after free vulnerabilities by quarantining freed memory. The Chrome Vulnerability Reward Program offers substantial payouts to incentivize responsible disclosure:
| Vulnerability Type | Reward |
|---|---|
| Full Chain Exploit (Web Contents) | USD 250,000 |
| Full Chain Exploit (MojoJS Enabled) | USD 200,000 |
| MiraclePtr Bypass | Up to USD 100,115 |
| Use After Free from Web Contents | USD 2,500 |
| Use After Free from MojoJS | USD 1,500 |
| Use After Free in Renderer Process | USD 1,000 |
The existence of CVE-2026-9126 as a DOM use after free suggests that MiraclePtr coverage does not yet extend to all DOM object pointers, or that this particular code path was not protected by the mitigation. Regardless, the rapid patch turnaround and structured disclosure process reflect a vendor with a well established vulnerability response pipeline.
References
- NVD: CVE-2026-9126
- CVE Record: CVE-2026-9126
- Chrome Releases: Stable Channel Update for Desktop (May 20, 2026)
- Chromium Issue Tracker: 496280532
- Tenable: CVE-2026-9126
- OffSeq Radar: CVE-2026-9126 Threat Summary
- Chrome Vulnerability Reward Program Rules
- Chromium Security
- CISA Known Exploited Vulnerabilities Catalog
- Browser Market Share Worldwide (Statcounter)



