CVE-2026-9119 · Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sand

01 · The Real Story

This is a booby-trapped conference room, not a master key to the building

CVE-2026-9119 is a heap-based buffer overflow in Chrome's WebRTC component that can be triggered by attacker-controlled web content. Google and NVD describe the outcome as arbitrary code execution inside Chrome's sandbox via a crafted HTML page. The affected range is Chrome before 148.0.7778.179, with Google's May 19, 2026 desktop release notes showing 148.0.7778.178/179 for Windows/Mac and 148.0.7778.178 for Linux; Debian also backported fixes for Chromium.

The vendor's 8.8/HIGH is fair if you score the bug in isolation as remote code execution in a ubiquitous browser, but it overstates enterprise endpoint risk. The decisive reality is that exploitation lands in a sandboxed renderer, not straight on the host, and the attack still needs user interaction with malicious content. That combination makes this important patching work, but not an all-hands emergency absent a public exploit chain or sandbox escape.

"A drive-by renderer bug with real reach, but the sandbox and user-click requirement keep it out of the urgent pile."

02 · The Attack Path

5 steps from start to impact.

STEP 01

Lure the target into attacker content

The attacker needs the victim to render a malicious HTML page or embedded frame. In practice this is a phishing link, ad-tech placement, compromised site, or chat-delivered URL that loads WebRTC-capable content.

Conditions required:

Target uses Chrome/Chromium in the vulnerable version range
Victim visits attacker-controlled or attacker-influenced web content
Standard browsing controls do not block the destination

Where this breaks in practice:

This is UI:R, so there is no zero-click server-side reach
Email gateways, browser isolation, Safe Browsing, and URL filtering cut a lot of commodity delivery paths
Many enterprise users never meaningfully touch WebRTC-heavy content outside a browser session

Detection/coverage: Perimeter scanners will not find this on hosts because it is a client-side bug. Detection is mostly indirect: web proxy logs, email click telemetry, browser isolation telemetry, and Safe Browsing / DNS filtering hits.

STEP 02

Trigger the WebRTC parser/processing path

The malicious page uses standard browser scripting and WebRTC primitives to reach the vulnerable code path. No authentication or local foothold is needed once the page is loaded; the trigger lives entirely in browser content handling.

Conditions required:

WebRTC is enabled and available in the browsing session
The victim browser actually executes the attacker's page logic

Where this breaks in practice:

If WebRTC is disabled or restricted for high-risk tiers, this path can break
Enterprise browser hardening and script restrictions can reduce reachable surface

Detection/coverage: Traditional vuln scanners generally miss runtime feature exposure here. Browser policy review, extension inventory, and EDR browser telemetry are better ways to confirm whether WebRTC is broadly available.

STEP 03

Exploit the heap overflow in the renderer

A crafted input causes memory corruption in WebRTC, yielding attacker-controlled code execution in the renderer process. Google's release note and NVD both explicitly state the code execution is inside a sandbox, which matters more operationally than the raw 'RCE' label.

Conditions required:

The page reliably reaches the vulnerable memory state
Exploit mitigations do not stop the corruption from becoming code execution

Where this breaks in practice:

Modern browser exploit development is hard: ASLR, CFI, process isolation, and ongoing hardening raise the bar
No public PoC or exploit chain was found in targeted web searches as of 2026-06-03

Detection/coverage: Exploit signatures are weak unless the crash pattern is already known. EDR may surface abnormal child-process or memory-corruption behavior, but coverage is inconsistent for renderer-only exploitation.

STEP 04

Operate within the sandboxed renderer

At this point the attacker controls a compromised renderer, not the whole endpoint. Chrome's own architecture documents say renderer sandboxing restricts filesystem, network, display, and cross-process access, and Site Isolation further reduces what a compromised renderer can see from other sites.

Conditions required:

Renderer compromise succeeded
The attacker can accomplish their objective without escaping the sandbox

Where this breaks in practice:

The sandbox sharply limits post-exploitation blast radius
Cross-site theft is harder because modern desktop Chrome uses Site Isolation by default
Full endpoint compromise usually needs a second bug or misconfiguration

Detection/coverage: Good EDR can still catch follow-on abuse, but a renderer-only compromise may be quiet. Browser crash telemetry and anomalous renderer behavior are more useful than network scanning.

STEP 05

Chain to something bigger

To turn this into a host-level incident, the attacker typically needs a sandbox escape, a browser-to-OS pivot, or a separate credential/session theft path. That second-stage requirement is the main reason this CVE should not be treated like an unauthenticated server RCE.

Conditions required:

A second exploit or abuse path exists
Security tooling does not stop the follow-on activity

Where this breaks in practice:

This CVE alone does not grant host-level execution
The chain complexity is materially higher than the vendor base score implies

Detection/coverage: Follow-on behavior is where defenders usually win: EDR, browser isolation, child-process blocking, and session anomaly detection all have a chance to break the chain.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in reviewed sources as of 2026-06-03.
KEV status	CISA KEV: not listed as of 2026-06-03.
PoC availability	No public PoC or weaponized exploit repo was found in targeted web searches; the Chromium issue reference is permission-gated.
EPSS	`0.00022` (0.022%) from the user-supplied intel, which is very low predictive exploitation pressure.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` — the important real-world terms are network-deliverable, no auth, but user interaction required.
Affected versions	Google Chrome before `148.0.7778.179`; Google release notes show `148.0.7778.178/179` on Windows/Mac and `148.0.7778.178` on Linux. Debian tracks affected Chromium packages across bullseye/bookworm/trixie branches.
Fixed versions	Google stable desktop update on 2026-05-19 shipped `148.0.7778.178/179`. Debian backports include `148.0.7778.178-1~deb12u1` and `148.0.7778.178-1~deb13u1`; later Debian security rollups also mark `148.0.7778.215-*` as fixed.
Scanning / exposure data	Inference: Shodan/Censys/FOFA are poor measures here because this is a client-side browser flaw, not a network-listening service exposure problem.
Disclosure / reporting	Disclosed 2026-05-20; Google's release note says it was reported by Google on 2026-04-17.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.4/10)

The single biggest severity reducer is that successful exploitation yields code execution inside Chrome's sandboxed renderer, not direct host compromise. That makes this a materially narrower problem than a classic unauthenticated RCE on a server, even though delivery is easy and Chrome is everywhere.

HIGH Affected-version and fix-version mapping from vendor/NVD/Debian sources

MEDIUM Real-world exploitability assessment without a public PoC or exploitation evidence

Why this verdict

Sandboxed renderer only: Google and NVD both state the result is code execution *inside a sandbox*. Starting from the vendor's 8.8, that is the biggest downward adjustment because it limits blast radius unless chained with a second bug.
User interaction required: This is UI:R, so the attacker still needs a victim to render malicious content. That implies phishing, malvertising, or compromised-site delivery rather than direct reach into every endpoint.
Client-side, not internet-exposed infrastructure: There is no server socket to scan, spray, or mass-exploit the way you would with VPNs, firewalls, or public web apps. Real exposure depends on user behavior and browser version hygiene.
Threat intel is quiet: No KEV listing, no public exploitation evidence found, and the supplied EPSS (0.00022) is extremely low. That does not make the bug harmless, but it removes the urgency premium.
Still not LOW: Chrome is ubiquitous and the bug is remotely delivered with no auth and low complexity once a user hits the page. In a 10,000-host estate, even moderate user-driven reach means you still want broad patch compliance.

Why not higher?

This is not a higher bucket because the attack chain has two compounding brakes: user interaction and sandboxed-only code execution. Treating it like a full endpoint takeover would ignore the fact that the attacker still needs either a second vulnerability or a very specific post-exploitation objective inside the renderer.

Why not lower?

This is not lower because it is still a memory-corruption bug in a massively deployed browser with remote content delivery and no authentication requirement. Even without public exploitation, a well-resourced attacker can realistically target high-value users through normal browsing paths.

05 · Compensating Control

What to do — in priority order.

Enforce browser auto-update compliance — Make sure Chrome/Chromium update policies are actually landing on managed endpoints and VDI images. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is the cleanest way to collapse exposure across a large fleet.
Harden risky browsing tiers — For admins, executives, developers, and help-desk users, apply stricter browser policy: keep sandboxing and Site Isolation defaults intact, restrict unmanaged extensions, and consider browser isolation for high-risk web access. There is no mitigation SLA for MEDIUM, so use this as a targeted interim reduction while normal patching completes within the 365-day remediation window.
Limit WebRTC where the business does not need it — If a user group does not rely on browser-based calling, conferencing, or data channels, reducing WebRTC reach can break the vulnerable code path. Use this selectively; there is no mitigation SLA for MEDIUM, so this is an optional risk reduction, not an emergency control.
Watch browser version drift — Continuously report endpoints still below the fixed build, especially non-persistent VDI, kiosks, lab systems, and Linux packages that lag behind the enterprise channel. For MEDIUM, drive this through standard remediation within the 365-day window instead of war-room operations.

What doesn't work

Perimeter vulnerability scanning does not solve this, because there is no remotely exposed service banner to find on the endpoint.
Server-side WAF rules are mostly irrelevant; the exploit executes in the client browser, not on your web server.
Network IDS alone is weak coverage because browser traffic is typically encrypted and the trigger can look like ordinary web activity.

06 · Verification

Crowdsourced verification payload.

Run this on the target endpoint or in your software-audit tooling. Invoke it with python3 check_cve_2026_9119.py to auto-detect Chrome/Chromium, or pass an explicit path such as python3 check_cve_2026_9119.py "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"; no admin rights are normally required unless your EDR blocks process inspection.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_cve_2026_9119.py
# Determine whether a local Chrome/Chromium binary is vulnerable to CVE-2026-9119.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import platform
import re
import shutil
import subprocess
import sys

VERSION_RE = re.compile(r'(\d+)\.(\d+)\.(\d+)\.(\d+)')

FIXED_WINDOWS_MAC = (148, 0, 7778, 179)
FIXED_LINUX = (148, 0, 7778, 178)


def parse_version(text):
    m = VERSION_RE.search(text or '')
    if not m:
        return None
    return tuple(int(x) for x in m.groups())


def cmp_ver(a, b):
    return (a > b) - (a < b)


def candidates():
    system = platform.system().lower()
    c = []

    if len(sys.argv) > 1:
        c.append(sys.argv[1])

    # PATH-based binaries
    for name in [
        'google-chrome', 'google-chrome-stable', 'chromium', 'chromium-browser',
        'chrome', 'msedge'  # included only so the script can tell you UNKNOWN/not-applicable if pointed there
    ]:
        p = shutil.which(name)
        if p:
            c.append(p)

    if system == 'windows':
        envs = [
            os.environ.get('PROGRAMFILES'),
            os.environ.get('PROGRAMFILES(X86)'),
            os.environ.get('LOCALAPPDATA')
        ]
        suffixes = [
            r'Google\Chrome\Application\chrome.exe',
            r'Chromium\Application\chrome.exe'
        ]
        for base in envs:
            if base:
                for s in suffixes:
                    c.append(os.path.join(base, s))
    elif system == 'darwin':
        c.extend([
            '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
            '/Applications/Chromium.app/Contents/MacOS/Chromium'
        ])
    else:
        c.extend([
            '/usr/bin/google-chrome',
            '/usr/bin/google-chrome-stable',
            '/usr/bin/chromium',
            '/usr/bin/chromium-browser',
            '/snap/bin/chromium'
        ])

    # de-dup while preserving order
    seen = set()
    out = []
    for item in c:
        if item and item not in seen:
            seen.add(item)
            out.append(item)
    return out


def get_version(binary):
    try:
        cp = subprocess.run([binary, '--version'], capture_output=True, text=True, timeout=10)
        text = (cp.stdout or '') + ' ' + (cp.stderr or '')
        return parse_version(text), text.strip()
    except Exception:
        return None, ''


def main():
    system = platform.system().lower()
    fixed = FIXED_LINUX if system == 'linux' else FIXED_WINDOWS_MAC

    found_any = False
    for binary in candidates():
        if not os.path.exists(binary):
            continue
        found_any = True
        ver, raw = get_version(binary)
        if ver is None:
            continue

        # Basic product sanity check
        lowered = raw.lower()
        if 'edge' in lowered:
            print(f'UNKNOWN: {binary} appears to be Microsoft Edge, not Chrome/Chromium ({raw})')
            sys.exit(2)

        status = 'PATCHED' if cmp_ver(ver, fixed) >= 0 else 'VULNERABLE'
        print(f'{status}: {binary} version {ver[0]}.{ver[1]}.{ver[2]}.{ver[3]}')
        sys.exit(0 if status == 'PATCHED' else 1)

    if not found_any:
        print('UNKNOWN: no Chrome/Chromium binary found; pass an explicit path as an argument')
    else:
        print('UNKNOWN: found candidate binary but could not parse a version')
    sys.exit(2)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as fleet patching, not incident-response patching. Because there is no active exploitation evidence and the reassessed verdict is MEDIUM, there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; focus on getting Chrome/Chromium estate visibility, fixing auto-update failures, and rolling users to 148.0.7778.179 on Windows/Mac or the equivalent fixed Linux/distro build. Your noisgate remediation SLA is ≤ 365 days, but in a 10,000-host environment you should still close browser version drift in your next normal endpoint maintenance cycle rather than letting this age out in backlog.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.