CVE-2026-9123 Overview
CVE-2026-9123 is a heap buffer overflow vulnerability in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179. A local attacker positioned on an adjacent network can send crafted traffic to trigger memory corruption and execute arbitrary code inside the Chrome sandbox. The flaw is tracked under CWE-122: Heap-based Buffer Overflow and was addressed in the Chrome stable channel update for desktop.
Critical Impact
Adjacent-network attackers can achieve arbitrary code execution within the Chrome sandbox by sending malicious network traffic to the Chromecast component.
Affected Products
- Google Chrome on Android prior to 148.0.7778.179
- Google Chrome on Linux prior to 148.0.7778.179
- Google Chrome on ChromeOS prior to 148.0.7778.179
Discovery Timeline
- 2026-05-20 - CVE-2026-9123 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9123
Vulnerability Analysis
The vulnerability resides in the Chromecast component of Google Chrome, which handles device discovery and media casting over the local network. A heap buffer overflow ([CWE-122]) occurs when the component processes malformed network traffic and writes beyond the bounds of an allocated heap buffer. The corruption can overwrite adjacent heap metadata or object pointers, leading to arbitrary code execution inside the renderer sandbox.
Exploitation requires the attacker to reach the victim across an adjacent network segment, such as the same Wi-Fi LAN. No user interaction is required, and authentication is not needed. Successful exploitation yields code execution constrained by the Chrome sandbox, which still provides a foothold for chaining additional sandbox escape vulnerabilities.
Root Cause
The root cause is improper bounds checking when parsing Chromecast network messages. The component allocates a heap buffer based on assumed message structure, then copies attacker-controlled data without validating the destination buffer size against the actual input length. See the Chromium Issue Tracker Entry for additional context.
Attack Vector
An attacker on the same local network broadcasts or directs crafted Chromecast protocol traffic at a vulnerable Chrome instance. When Chrome's Chromecast component parses the message, the overflow triggers and the attacker gains code execution within the sandbox. No phishing, click, or credentials are required. Refer to the Google Chrome Update Post for the official advisory.
No verified public proof-of-concept code is available for this issue. The exploitation mechanism is described in prose; consult the upstream Chromium tracker for sanitized technical details.
Detection Methods for CVE-2026-9123
Indicators of Compromise
- Chrome browser or renderer process crashes on devices running versions prior to 148.0.7778.179, particularly with heap corruption signatures in crash dumps.
- Unexpected Chromecast discovery or media session traffic originating from unknown hosts on the local subnet.
- Anomalous child processes or outbound connections spawned by chrome or chromium shortly after receiving multicast traffic on UDP ports used by Chromecast (mDNS/SSDP).
Detection Strategies
- Inventory Chrome installations across Android, Linux, and ChromeOS endpoints and flag any build below 148.0.7778.179.
- Inspect network telemetry for unsolicited Chromecast or DIAL protocol traffic from non-trusted devices on guest or corporate Wi-Fi segments.
- Correlate browser crash telemetry with network events to identify exploitation attempts targeting the Chromecast component.
Monitoring Recommendations
- Monitor EDR telemetry for abnormal behavior of Chrome processes, including unexpected memory allocations, child process creation, or sandbox escape attempts.
- Enable verbose logging on wireless infrastructure to detect rogue devices broadcasting Chromecast advertisements on shared networks.
- Track Chrome version compliance through endpoint management tooling and alert on devices that fall behind the patched baseline.
How to Mitigate CVE-2026-9123
Immediate Actions Required
- Update Google Chrome to 148.0.7778.179 or later on all Android, Linux, and ChromeOS devices.
- Restart the browser after updating to ensure the patched binaries are loaded into memory.
- Audit guest and corporate Wi-Fi segments to identify untrusted devices capable of reaching Chrome clients with Chromecast traffic.
Patch Information
Google released the fix in the Chrome stable channel at version 148.0.7778.179. Details are available in the Google Chrome Update Post and the Chromium Issue Tracker Entry. Apply the update through standard Chrome auto-update mechanisms or via managed software distribution channels.
Workarounds
- Segment guest and untrusted wireless networks from corporate endpoints to limit adjacent-network exposure.
- Disable media routing or Chromecast discovery via the MediaRouterEnabled enterprise policy where business needs allow.
- Restrict mDNS, SSDP, and DIAL traffic at the network layer until patching is complete.
# Example: disable Chrome Media Router via enterprise policy on Linux
sudo mkdir -p /etc/opt/chrome/policies/managed
cat <<EOF | sudo tee /etc/opt/chrome/policies/managed/disable_cast.json
{
"MediaRouterEnabled": false,
"EnableMediaRouter": false
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
