What the vulnerability does
01Description
Insufficient validation of untrusted input in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
CVSS base score
—
Key dates
02Disclosure timeline
May 28, 2026
CVE published
May 30, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2021-20195
CVE-2023-21554 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2026-11259
CVE-2025-24882 regclient may ignore pinned manifest digests
CVE-2023-42449 Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits
