On May 6, 2026, Microsoft confirmed that a newly disclosed Chromium vulnerability—CVE-2026-7975—also affects its Edge browser. The use-after-free flaw in DevTools could help attackers escape Chrome’s sandbox after compromising the renderer, and it was patched in Google Chrome 148.0.7778.96 released a day earlier. Although rated Medium by Chromium, CISA’s analysis assigns it a High severity score of 8.3 due to the sandbox escape risk.

What Actually Changed in This Update

Google released Chrome version 148 to the stable channel on May 5, 2026, for Windows, macOS, and Linux. The update included 127 security fixes, one of which addressed CVE-2026-7975—a use-after-free vulnerability in the browser’s DevTools component. The bug affects all Chromium-based browsers, meaning Microsoft Edge, which shares the same engine, was also vulnerable until Microsoft released an updated build.

According to the Chromium advisory, an attacker who has already compromised the renderer process—the part of the browser that handles web content—could exploit this flaw by getting the user to visit a crafted HTML page. Success could allow a sandbox escape, meaning the attacker might break out of the browser’s security confinement and gain wider access to the underlying system. This is a critical escalation because browser sandboxes are designed to contain damage even if a renderer bug is exploited.

The fixed versions are as follows:

  • Chrome on Linux: 148.0.7778.96 or later
  • Chrome on Windows and macOS: 148.0.7778.96 or .97, depending on platform and channel
  • Microsoft Edge: The latest stable version (check your specific build via edge://settings/help)

Microsoft’s Security Response Center (MSRC) advisory confirmed that the latest version of Edge is no longer vulnerable, though it did not provide a specific Edge version number that maps directly to the Chrome fix. Administrators should verify against Microsoft’s release notes.

What This Means for You: By User Type

For Home Users

If you use Chrome, this is a routine but important update. Since Chrome typically updates itself in the background, you may already be protected. To confirm, click the three-dot menu, go to Help > About Google Chrome, or type chrome://settings/help in the address bar. If an update is pending, it will install, and you’ll be prompted to restart the browser. Restart is essential; the updated code only takes effect after the browser relaunches.

Microsoft Edge users on Windows will usually receive the patch through Windows Update automatically. You can also manually trigger a check by navigating to edge://settings/help. The risk to home users is low because exploitation requires an additional renderer compromise, but don’t dismiss it—browsers are the most exposed application on your device.

For Power Users and Developers

This bug sits in DevTools, a component many power users interact with directly. Even if you don’t open the F12 panel, DevTools underpins many internal browser operations, such as debugging protocols and automation interfaces. The fact that a use-after-free exists here is a reminder that every browser subsystem is a potential attack surface.

While you await more technical details (Google typically withholds them to give users time to update), consider reviewing your DevTools usage. If you don’t need developer tools active on a particular machine, you might disable them via policies. But the primary defense is updating. Also, if you run multiple Chromium-based browsers (Brave, Vivaldi, etc.), check them all.

For IT Administrators

This vulnerability is a fleet-wide concern. Browser updates can’t be treated as optional or deferred for weeks. Here’s why:

  • Chainable nature: The bug may be “Medium” in Chromium’s view, but CISA’s ADP score of 8.3 reflects the reality that sandbox escapes are highly valuable to attackers. An attacker who pairs this with a renderer exploit (and Chrome 148 fixed three Critical and dozens of High bugs) could achieve full system compromise.
  • Shared engine: If your organization uses both Chrome and Edge (and it likely does, even if Edge isn’t the primary), both must be updated. A Chrome-only patch program leaves Edge as an unguarded back door.
  • Restart compliance: The biggest vulnerability is often the lag between patch download and browser restart. Users who leave browsers open for days are sitting ducks. Enforce restart policies or use tools that prompt and eventually force relaunch.

Your action items:
1. Inventory all Chromium-based browsers on endpoints. Know which version is installed.
2. Use your management platform (Intune, Group Policy, Chrome Browser Cloud Management, third-party tools) to push the Chrome 148 update and the corresponding Edge update.
3. Verify success telemetry—don’t rely on scanner CPE matching alone. Use actual version reporting from endpoints.
4. Review DevTools access. If it’s not needed for non-developer users, disable it via Group Policy (for Edge: Administrative Templates > Microsoft Edge > Developer Tools; for Chrome, similar policies exist). While this may not mitigate the current bug fully, it reduces exposure to any future DevTools-related flaws.
5. Prepare a communication to users about the importance of restarting browsers after updates.

How We Got Here: Context and Timeline

Browsers are monstrously complex software suites, and Chromium is at the heart of most modern ones. In 2019, Microsoft abandoned its EdgeHTML engine to adopt Chromium, a decision that brought better compatibility and a faster pace of security fixes, but also tied Edge’s security rhythm to Chrome’s.

Use-after-free vulnerabilities have plagued browsers for years. They occur when memory is freed but the program continues to access it, creating opportunities for attackers to manipulate what occupies that memory space. Despite Google’s investments in fuzzing, address sanitizers, and mitigation techniques like MiraclePtr, these bugs still surface because the codebase is enormous and constantly evolving.

DevTools has quietly grown from a simple inspection panel into a fully-fledged debugging and automation environment. It connects to browser internals at a low level, making it a juicy target. In this case, the vulnerability didn’t require the user to open DevTools; merely visiting a malicious page after a renderer compromise could trigger it.

The timeline is typical of modern browser security:
- May 5, 2026: Google releases Chrome 148 stable with the fix, bundling it with 126 other security repairs.
- May 6, 2026: The CVE is published by NVD/Microsoft, and CISA enriches it with a higher CVSS score.
- Ongoing: Security scanners pick up the CVE, and IT departments spring into action.

Notably, Chrome 148 also fixed three other Critical vulnerabilities (in V8, WebRTC, and elsewhere) and dozens of High-severity bugs. Delaying this update leaves systems exposed to far more than just CVE-2026-7975.

What to Do Now: A Practical Checklist

Regular users:
- Open Chrome, go to chrome://settings/help, install any pending updates, and click “Relaunch”.
- For Edge, go to edge://settings/help or run Windows Update.
- Repeat for any other Chromium-based browsers (Brave, Opera, etc.).

Administrators:
- Deploy Chrome 148 via your update channels immediately. Verify that endpoints report version ≥148.0.7778.96 (Linux) or ≥148.0.7778.96/.97 (Windows/macOS).
- Deploy the latest Microsoft Edge stable build. Cross-reference with Microsoft’s update guide to confirm it includes the Chromium fixes.
- Use a combination of endpoint management and network-based checks (e.g., vulnerability scanners that query browser version) to verify compliance.
- Enable auto-update policies with forced restarts after a grace period, if feasible.
- Restrict DevTools for non-essential staff using Group Policy or Chrome Browser Cloud Management policies.
- Check your vulnerability scanner’s alert logic: ensure it flags versions below the safety thresholds and doesn’t rely solely on CPE strings that may not map neatly to Edge’s versioning.

Outlook: The Browser as a Permanent Security Frontier

CVE-2026-7975 won’t be the last use-after-free bug in a browser’s developer tooling. As Chromium adds more capabilities and Microsoft invests in Edge-specific features on top of the shared engine, the attack surface will continue to grow. The industry’s gradual move toward memory-safe languages like Rust for new browser components offers hope, but existing C++ code will need to be maintained for years.

For now, the best defense is simple: treat browser updates as critical security hygiene, on par with OS patches. The days of dismissing a Chrome or Edge update as “just a feature release” are over. Each one bundles dozens of fixes, any one of which could be the missing link in an exploit chain.

Microsoft’s quick advisory for Edge reflects a mature process, but the burden remains on users and admins to act. Don’t let a “Medium” label lull you into a leisurely patch schedule. Update, restart, and verify. The browser is your front door to the internet—keep it locked.