CVE-2026-9917: Chrome WebGL Memory Leak on Android – Patch Guide
Google Chrome on Android contains a flaw in its WebGL graphics processing that fails to properly initialize memory before use. When a user visits a malicious webpage, an attacker can read sensitive data left in process memory—such as parts of cached images, passwords, or other application state—without needing special permissions or bypass techniques. This affects Chrome versions before 148.0.7778.216 on Android devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-457
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9917 is an uninitialized variable vulnerability (CWE-457) in the WebGL implementation of Chromium-based browsers on Android. The flaw occurs when WebGL allocates graphics memory but fails to zero or properly initialize it before use. A remote attacker can craft a malicious HTML page containing WebGL operations that expose previously-allocated but uncleared memory contents to JavaScript running in the browser context. The vulnerability is confined to information disclosure; it does not permit code execution or denial of service. The attack vector is network-based with user interaction required (a user must visit the attacker's page), and impact is limited to confidentiality.
Business impact
Organizations supporting or managing Android devices with Chrome—particularly those handling sensitive operations in browser contexts—face a confidentiality risk. Users accessing banking, email, or other sensitive web applications on affected Chrome versions could have cached session data, temporary tokens, or personal information inadvertently exposed during the same browsing session or across tab boundaries if that data was previously loaded into WebGL memory pools. The medium CVSS score reflects that exploitation requires user interaction and does not lead to account compromise or persistent access, but the sensitivity of data that could be leaked warrants timely patching.
Affected systems
Google Chrome on Android versions prior to 148.0.7778.216 are vulnerable. Devices running any Android OS version are affected if they have an affected Chrome version installed. Desktop and iOS Chrome versions are not affected by this particular flaw. Organizations should focus remediation efforts on Android-based device fleets and mobile user populations.
Exploitability
Exploitation is straightforward from a technical perspective: an attacker needs only to host a specially-crafted HTML page with WebGL content and trick a user into visiting it—via phishing, ad networks, or compromised websites. No authentication, local access, or system privilege elevation is required. However, the actual value of exposed data depends on what happens to be in memory at the time of exploitation, making attacks somewhat opportunistic rather than targeted. This vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no active in-the-wild exploitation has been publicly disclosed as of the last update.
Remediation
Update Google Chrome on all Android devices to version 148.0.7778.216 or later. Chrome's auto-update mechanism typically deploys patches within days of release, but users should manually check Settings > About Chrome > Chrome to force an immediate update if needed. Organizations managing Android devices via mobile device management (MDM) solutions should verify that their Chrome deployment policy is set to auto-update or should push the patch through their MDM console.
Patch guidance
Google released fix version 148.0.7778.216 for Chrome on Android. Verify installation by navigating to Chrome Settings > About Chrome, which will display the current version and automatically check for updates if outdated. For enterprise Android deployments, consult your MDM platform's documentation to deploy the update to managed devices. No interim workarounds exist; updating is the only mitigation. Chromium's security advisory for this issue should be consulted for any platform-specific deployment notes.
Detection guidance
Detection at the network level is difficult because the exploit consists of a normal HTTPS request to a malicious webpage. Security teams should focus on: (1) monitoring Chrome version compliance across Android fleets via MDM telemetry or inventory tools, (2) watching for suspicious WebGL-heavy pages in proxy or endpoint logs that may correlate with data exfiltration attempts, and (3) alerting on Chrome versions older than 148.0.7778.216 in device inventory. Endpoint detection should prioritize patching speed rather than behavioral detection, since the attack is passive memory reading and leaves minimal forensic traces.
Why prioritize this
While the CVSS score is medium (6.5) and the vulnerability requires user interaction, the attack surface is broad—any webpage visit is a potential trigger—and the information disclosed could be highly sensitive. Organizations with high concentrations of Android users, strict data protection requirements, or users accessing financial or healthcare platforms should prioritize this patch within days. The lack of KEV status and public exploits provides a brief window before attackers likely begin weaponizing it, making early patching a form of breach prevention.
Risk score, explained
The CVSS score of 6.5 reflects a network attack vector requiring user interaction (clicking a link), no special privileges, and impact to confidentiality only (no integrity or availability impact). Chromium's internal severity rating of 'High' differs from CVSS's 'Medium' because browser vendors often weigh memory disclosure and potential for chaining with other flaws more heavily. The discrepancy underscores that CVSS alone does not capture context—a memory leak in a browser can enable subsequent privilege escalation or credential harvesting in real-world attack chains.
Frequently asked questions
Can this vulnerability allow an attacker to run code or fully compromise my device?
No. CVE-2026-9917 permits only information disclosure—an attacker can read uninitialized memory contents exposed by WebGL. It does not enable code execution, privilege escalation, or persistent access. However, leaked memory could contain sensitive data that aids subsequent attacks.
Do I need to update if I don't use Chrome on my Android phone?
This vulnerability affects Chrome on Android specifically. If you use a different browser (Firefox, Safari, Edge), or if you primarily use Chrome on desktop or iOS, this CVE does not apply to you. Check your device's browser settings to confirm which browser and version you run.
What should I tell users about this vulnerability?
Advise users to update Chrome on their Android devices to the latest version available through the Play Store, and reassure them that no action is required on their part beyond applying the update. There is no user-facing workaround. Avoid alarming messaging—the risk is moderate and addressed by a standard patch.
How do I verify that my organization's Android devices are patched?
Use your MDM platform's device inventory or compliance reporting features to filter devices by Chrome version. Generate a report of all devices with Chrome versions older than 148.0.7778.216 and prioritize updating them. If your MDM supports automatic updates, verify the policy is enabled. Test on a sample device to ensure the update deploys and installs as expected.
This analysis is provided for informational and risk management purposes. It is based on publicly available information current as of the publication date and does not constitute professional security advice or a guarantee of security outcomes. Organizations must conduct their own threat assessment and patch management based on their specific environments and risk tolerance. SEC.co does not provide exploitation services or proof-of-concept code. Always verify patch availability and compatibility with your systems before deployment. Refer to Google's official security advisory and Chromium bug tracker for authoritative technical details. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10008MEDIUMChrome Android GPU Memory Disclosure Vulnerability
- CVE-2026-10977MEDIUMUninitialized Use in Chrome Skia Renderer—Data Leak Risk
- CVE-2026-10994MEDIUMGoogle Chrome ANGLE Memory Disclosure Vulnerability – Update to 149.0.7827.53
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-9921MEDIUMChrome Android WebGL Information Disclosure – Patch Guidance
- CVE-2026-9935MEDIUMChrome ANGLE Uninitialized Memory Leak – Cross-Origin Data Disclosure
- CVE-2026-9942MEDIUMANGLE Site Isolation Bypass in Chrome – Remediation Guide
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable