CVE-2026-9945

Google · Chrome

A use-after-free vulnerability in the Media component of Google Chrome on Windows could allow for arbitrary code execution.

Executive summary

A high-severity memory corruption vulnerability in the Google Chrome media stack on Windows poses a risk of remote code execution.

Vulnerability

This use-after-free vulnerability is located in the Media handling component specifically on the Windows platform. An unauthenticated attacker can exploit this via a malicious website, causing the browser to execute arbitrary code with the privileges of the user.

Business impact

The CVSS score of 8.8 reflects the high severity of this issue, as browser-based media vulnerabilities are frequent targets for exploitation. Compromise of the browser on a Windows host provides an attacker with a foothold to conduct further malicious activities, including credential harvesting and malware deployment.

Remediation

Immediate Action: Update Google Chrome to version 148 or later to resolve the memory corruption flaw.

Proactive Monitoring: Monitor for suspicious media-related processes or unexpected browser behavior while browsing multimedia-heavy websites.

Compensating Controls: Ensure that Windows-based endpoint detection and response (EDR) tools are configured to alert on anomalous process execution originating from the browser.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations must prioritize patching this vulnerability to maintain the integrity of their Windows environment. Promptly applying the vendor-provided update is essential to prevent potential exploitation and secure the browser against known memory corruption vectors.