MEDIUM 6.5

CVE-2026-9912: Chrome GPU Memory Disclosure on Android – Patch Required

A flaw in Google Chrome's GPU processing on Android allows attackers to steal sensitive information from your device's memory. An attacker can craft a malicious web page that, when you visit it, extracts data from Chrome's process memory without your knowledge. No action from you is required beyond visiting the page—the vulnerability is triggered automatically during normal browsing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9912 is a memory disclosure vulnerability in Chrome's GPU implementation on Android. The vulnerability stems from an inappropriate implementation in GPU-related code that fails to properly isolate or protect process memory regions. An unauthenticated remote attacker can exploit this by hosting a crafted HTML page. When a user navigates to the malicious page, the GPU processing logic incorrectly exposes memory contents that should remain private to the Chrome process. The vulnerability affects Chrome on Android versions prior to 148.0.7778.216. Chromium has classified this as a High-severity issue internally, though the CVSS 3.1 score of 6.5 reflects the requirement for user interaction (visiting a page).

Business impact

This vulnerability poses a data confidentiality risk to Chrome users on Android. Sensitive information accessible from process memory—such as session tokens, cached credentials, encryption keys, or user data from other browser tabs—could be extracted and used for account takeover, session hijacking, or further attacks. For organizations managing Android devices with corporate users, compromise of Chrome's process memory could lead to unauthorized access to internal systems or cloud services. The limited attack surface (requires user to visit a crafted page) moderates the enterprise risk, but the high information sensitivity makes this noteworthy for security teams managing mobile devices.

Affected systems

Google Chrome on Android versions prior to 148.0.7778.216 are affected. Desktop versions of Chrome and Chrome on other platforms are not impacted by this specific GPU implementation flaw. Android devices running older Chrome versions present the highest risk, particularly those where auto-update may be disabled or delayed.

Exploitability

Exploitability is straightforward from an attacker's perspective but requires user interaction. An attacker must trick or socially engineer a user into visiting a malicious web page; they cannot exploit the vulnerability through passive network attacks or without user action. However, the craft threshold is low—the malicious HTML does not require JavaScript exploitation or plugin vulnerabilities, just carefully constructed GPU rendering commands. Given Chrome's widespread use on Android and the ease of distributing malicious links via social engineering, practical exploitability is considered moderate to high. The vulnerability is not known to be actively exploited in the wild (KEV status is false), which provides a window for patching before widespread attack campaigns.

Remediation

Update Chrome on Android to version 148.0.7778.216 or later. Users should enable automatic updates in the Google Play Store settings to receive patches immediately. For managed Android deployments, IT teams should verify that Chrome auto-update policies are enforced and push updates through their mobile device management (MDM) solution if available. Interim risk reduction can be achieved by educating users to avoid clicking untrusted links and restricting browsing to known safe sites, though patching remains the only complete mitigation.

Patch guidance

Google has released Chrome version 148.0.7778.216 and later containing the fix. Verify the installed version by navigating to Chrome's About page (Settings > About Chrome). The Play Store will automatically deliver updates if auto-update is enabled; users and administrators should confirm this setting is active. For organizations using Chromebook or Android Enterprise, verify that Chrome updates are pushed through your MDM console. No manual configuration changes or workarounds are needed post-patch; the update simply requires installation and a browser restart.

Detection guidance

Detection is challenging at the endpoint level because the exploitation occurs within Chrome's GPU processing pipeline and leaves minimal forensic artifacts. Monitor for: (1) unusual outbound network connections from Chrome to unfamiliar domains, particularly if correlated with employee reports of unexpected behavior; (2) Chrome process crashes or restarts, which may occur if exploitation fails or triggers error handling; (3) access logs to your organization's authentication systems for anomalous session activity that correlates with the date range when Chrome versions prior to 148.0.7778.216 were in use. On the network side, intrusion detection systems with visibility into DNS queries and TLS handshakes may flag suspicious domains used in phishing campaigns that distribute the malicious HTML. The most reliable detection is proactive: ensure all Android devices are running Chrome 148.0.7778.216 or later via MDM telemetry or vulnerability scanning tools.

Why prioritize this

Prioritize this patch for medium-to-high urgency. While the CVSS score is 6.5 (medium), the combination of high information sensitivity, ease of exploitation via social engineering, and widespread Chrome usage on Android argues for expedited remediation. Organizations with a large Android user base or high-value targets (executive devices, contractors accessing sensitive systems) should prioritize fastest. However, the lack of known active exploitation and the requirement for user interaction mean this does not warrant an emergency response; plan deployment within 2–4 weeks through your standard MDM update cycle.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) Network attack vector (AV:N)—attacker can exploit remotely; (2) Low attack complexity (AC:L)—no special conditions needed; (3) No privileges required (PR:N); (4) User interaction required (UI:R)—user must visit the malicious page; (5) Unchanged scope (S:U); (6) High confidentiality impact (C:H)—sensitive data can be extracted; (7) No integrity or availability impact (I:N, A:N). The medium severity reflects the user interaction requirement; without it, this would likely score in the 'High' or 'Critical' range given the memory disclosure risk.

Frequently asked questions

Can this vulnerability be exploited if I just receive a link but don't click it?

No. The vulnerability requires you to actually visit and render the malicious HTML page in Chrome on Android. Simply receiving a link, previewing it in a messaging app, or having it open in a background tab is insufficient. However, you should still avoid clicking suspicious links from untrusted sources.

Does this affect Chrome on my desktop or laptop?

No. This vulnerability is specific to Chrome's GPU implementation on Android. Chrome on Windows, macOS, Linux, and iOS is not affected by CVE-2026-9912.

What information could be stolen if I visit a malicious page?

The attacker gains access to whatever data is currently in Chrome's process memory, which could include session tokens, cached passwords, browsing history, encryption keys, or data from open tabs. The specific content depends on your browsing activity at the time of exploitation. Financial data, login credentials, or authentication tokens are common targets.

If I've already patched Chrome to 148.0.7778.216, am I fully protected?

Yes. The patch closes this specific memory disclosure vector. However, good security hygiene (avoiding suspicious links, enabling Chrome's Safe Browsing, using a password manager with unique passwords) remains important for protection against other threats.

This analysis is based on publicly available information as of the publication date and represents the assessment of SEC.co's security research team. CVSS scores, vendor patch versions, and KEV status are derived from official sources (NVD, Chromium security advisories). Organizations should verify patch applicability in their environment and test updates in staging before production deployment. This vulnerability analysis does not constitute legal, compliance, or risk management advice; consult your organization's security and legal teams for policy decisions. No exploit code or weaponized proof-of-concept is provided or endorsed by SEC.co. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).