CVE-2026-9896

Published May 28, 2026

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-9896 is identified as an out-of-bounds write vulnerability within V8, Google's open-source JavaScript engine. This flaw was reported on May 2, 2026, by a security researcher identified as "303f06e3". The vulnerability affects web browsers that utilize the V8 engine, including Google Chrome and Microsoft Edge. It has been addressed in Google Chrome versions prior to 148.0.7778.215 on Linux, 148.0.7778.215/216 on Mac, and 148.0.7778.216/217 on Windows. Similarly, Microsoft Edge versions prior to 148.0.3967.96 have also received a fix for this issue.

Description: Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Source: chrome-cve-admin@google.com
NVD status: Analyzed
Products: chrome

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

chrome-cve-admin@google.com: CWE-787

Hype score: Not currently trending

Welcome to the $500 era! [$500][508811474] High CVE-2026-9896: Out of bounds write in V8. Reported by 303f06e3 on 2026-05-02 https://t.co/iVv2cRk9g4
@buptsb
29 May 2026
27632 Impressions
12 Retweets
139 Likes
25 Bookmarks
8 Replies
6 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "E59192D9-BF13-4B43-B69F-869A6BF83955",
            "versionEndExcluding": "148.0.7778.216",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A",
            "versionEndExcluding": "148.0.7778.215",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
            "vulnerable": false
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

References

Sources include official advisories and independent security research.