CVE-2026-9907: Chrome Out-of-Bounds Read Vulnerability Enables Cross-Origin Data Leakage
A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9907 is an out-of-bounds read vulnerability in the Dawn graphics API implementation within Google Chrome on Windows. The flaw exists in how Chrome processes graphics-related memory operations, permitting an attacker to craft HTML content that triggers the out-of-bounds condition. When exploited, the vulnerability enables cross-origin data exfiltration—allowing access to sensitive information from websites visited in other browser tabs or windows. The vulnerability is classified as CWE-125 (Out-of-bounds Read).
Business impact
This vulnerability poses a data confidentiality risk to organizations whose employees browse the web using vulnerable Chrome versions on Windows. Attackers could potentially extract authentication tokens, session cookies, personal information, or other sensitive data from multiple website contexts simultaneously. While the attack requires user interaction (visiting a malicious page), the cross-origin nature means defenders cannot rely on same-origin policy as a safeguard. Organizations should prioritize patching to prevent information disclosure incidents.
Affected systems
Google Chrome on Windows prior to version 148.0.7778.216 is affected. The vulnerability is specific to Windows systems; Chrome versions on other platforms require separate assessment. Any Windows user running a Chrome version before the fixed version is at risk when visiting untrusted or compromised web pages.
Exploitability
The vulnerability requires user interaction—specifically, a user must visit a crafted web page hosted by or redirected by an attacker. The attack vector is network-based with no special privileges required. However, the requirement for user action (clicking a link, visiting a site) moderates the overall risk profile. Once a user lands on a malicious page, the browser may automatically trigger the out-of-bounds read without further interaction. The moderate CVSS score of 4.3 reflects this user-interaction barrier combined with the impact being limited to information disclosure rather than code execution.
Remediation
Update Google Chrome to version 148.0.7778.216 or later on all Windows systems. Organizations should enforce Chrome auto-updates or use managed deployment tools to accelerate patching. For environments where immediate patching is not feasible, consider restricting access to untrusted websites or enforcing network-level content filtering to block known attack vectors. User education on avoiding suspicious links and pages also provides defense-in-depth.
Patch guidance
Administrators should verify the installed Chrome version matches or exceeds 148.0.7778.216. Chrome's auto-update mechanism typically handles this automatically, but administrators managing enterprise deployments via Chrome Enterprise should confirm rollout completion. Test the patched version in a staging environment if required by your change management process. After patching, users should restart their browser to ensure the fix is active.
Detection guidance
Monitor network traffic for unusual patterns from Chrome processes, particularly connections to unexpected or suspicious domains. Endpoint Detection and Response (EDR) tools should flag abnormal memory access patterns or graphics API calls originating from the browser process. Log authentication events and session activity to identify potential token theft or cross-site data access. Security Information and Event Management (SIEM) systems should correlate browser crashes or restarts with timeline of potential malicious page visits. Memory forensics may reveal artifacts of out-of-bounds reads if incident investigation is required.
Why prioritize this
Although the CVSS score is medium (4.3), the cross-origin data leakage aspect elevates business risk in sensitive environments. Organizations handling regulated data (healthcare, finance, legal) should prioritize this patch quickly because the vulnerability could lead to compliance violations if exploited. The ease of exploitation (only requiring a malicious web page) and the user-interaction requirement create a realistic attack scenario, especially in organizations where users visit diverse websites. Prioritize systems belonging to high-value targets, administrative users, and employees accessing sensitive applications.
Risk score, explained
The CVSS 3.1 score of 4.3 (Medium severity) reflects a network-based attack with low complexity and no special privileges, but with a requirement for user interaction. The impact is limited to confidentiality loss (information disclosure) with no impact on integrity or availability. The score appropriately captures that this is not a remote code execution or privilege escalation flaw, but rather a data exposure risk. Organizations handling sensitive information may assign a higher internal risk rating based on their threat model and data classification, even though the base CVSS remains 4.3.
Frequently asked questions
Can this vulnerability be exploited without the user visiting a malicious page?
No. The attack requires user interaction in the form of visiting or being redirected to a crafted web page. However, social engineering or drive-by download tactics could increase the likelihood of a user reaching the malicious page.
Does patching Chrome on Windows protect users on other operating systems?
No. This CVE is specific to Chrome on Windows. Users on macOS, Linux, and Android should verify whether Chrome versions on their respective platforms address similar graphics issues through separate security advisories.
If a user opens a patch-protected Chrome version, are they completely safe from this vulnerability?
Yes, version 148.0.7778.216 and later on Windows contain the fix for this out-of-bounds read. However, general security hygiene—such as avoiding suspicious links and maintaining other software—remains important.
What data could an attacker steal using this vulnerability?
An attacker could potentially leak session tokens, cookies, authentication credentials, personal user data, or other information stored in the browser memory context of other open website tabs or windows. The specific data depends on what the victim user has open at the time of exploitation.
This analysis is provided for informational purposes to support security decision-making. SEC.co does not warrant the accuracy or completeness of this intelligence. Organizations should verify patch availability and compatibility within their specific environments before deployment. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog at the time of publication; however, absence from KEV does not indicate absence of active exploitation. Always consult the official Google Chrome security advisory and vendor guidance for authoritative information. Adapt remediation timelines based on your organization's risk tolerance, system criticality, and security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-9953MEDIUMChrome ANGLE Out-of-Bounds Memory Read Information Disclosure
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required