MEDIUM 4.3

CVE-2026-9919: Android Chrome WebGL Out-of-Bounds Read Cross-Origin Data Leak

A WebGL processing flaw in Google Chrome for Android allows attackers to read data they shouldn't have access to by tricking users into visiting a malicious webpage. The vulnerability exists in how Chrome handles certain graphics operations and can leak information across website boundaries, but only affects the Android version of Chrome and requires user interaction to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9919 is an out-of-bounds read vulnerability in the WebGL implementation of Chromium-based Chrome on Android. The flaw permits a remote, unauthenticated attacker to trigger memory reads beyond intended buffer boundaries via a crafted HTML page, potentially disclosing cross-origin data. The vulnerability was assigned Chromium security severity High and scored CVSS 3.1 base 4.3 (CWE-125: Out-of-bounds Read). The issue affects Chrome versions prior to 148.0.7778.216 on Android devices.

Business impact

This vulnerability poses a targeted data exfiltration risk for organizations whose users access sensitive web applications via Chrome on Android. An attacker could craft a malicious page that, when visited, leaks session tokens, authentication credentials, or other sensitive data from concurrently open sites. While the CVSS score remains moderate, the cross-origin leakage potential elevates concern for enterprises managing mobile workforces or BYOD environments. The attack requires no special network positioning or user privileges—only that a victim visit a hostile page while authenticated to sensitive services.

Affected systems

The vulnerability is specific to Google Chrome on Android operating systems, versions prior to 148.0.7778.216. Desktop and iOS versions of Chrome are not affected. Organizations should inventory mobile device deployments of Chrome, particularly those used to access corporate or sensitive web applications. Android-based Chrome instances in managed environments (MDM-enrolled devices) may be easier to patch centrally; consumer personal devices present greater patching challenges.

Exploitability

Exploitation requires user interaction (visiting a malicious or compromised webpage), lowering the attack surface compared to direct remote code execution vulnerabilities. However, the barrier is not high—a phishing email, ad injection, or watering hole attack could deliver the malicious HTML. An attacker does not need special network access or privileges. Proof-of-concept construction would be straightforward for skilled attackers familiar with WebGL APIs. This vulnerability is not currently tracked as exploited in the wild (KEV status: not listed), but that status can change.

Remediation

Update Google Chrome on all Android devices to version 148.0.7778.216 or later. The patch has been released through Google's standard Chrome update channels. For enterprise deployments, use mobile device management tools to enforce updates or restrict Chrome until patching is complete. For personal devices, enable automatic updates in Chrome settings (Settings > About Chrome > Enable automatic updates). Verify patch deployment on a sample of devices to confirm successful remediation.

Patch guidance

Google Chrome on Android receives updates through the Google Play Store. Verify that affected devices receive Chrome version 148.0.7778.216 or later by checking Settings > About Chrome, which will display the current version and initiate auto-update checks. Enterprise administrators can deploy patches via MDM solutions (Intune, MobileIron, etc.) or through managed Google Play. No manual compilation or configuration is required; the patch is delivered as a standard Chrome update.

Detection guidance

Monitor Chrome version inventory across Android devices in your environment using MDM reporting or device inventory tools. Log access patterns to sensitive web applications from mobile Chrome instances to identify potential attack attempts, though detection of successful exploitation would require advanced memory forensics or WebGL API logging on the device (not typically available in standard browser logs). Look for unusual cross-origin data access requests or anomalous data exfiltration patterns if deployed in environments with strong DLP or network monitoring.

Why prioritize this

Although the CVSS score is moderate (4.3), prioritize this vulnerability in mobile-heavy or BYOD environments due to the cross-origin data leakage potential and the ease of user-directed exploitation. If your organization relies on Android Chrome for accessing sensitive web portals, email, or financial systems, the business risk justifies rapid patching. The fix is simple (standard update) and low-friction, making this a strong candidate for urgent but manageable remediation in mobile device management schedules.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible, low-complexity attack requiring user interaction but with only confidentiality impact (no integrity or availability loss). The vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N appropriately captures the attack surface. The 'Medium' severity rating aligns with the bounds-read class and limited scope; however, the cross-origin leakage aspect and mobile deployment ubiquity warrant treating this more urgently than the raw score might suggest in a BYOD or managed device context.

Frequently asked questions

Can this vulnerability affect Chrome on desktop or iOS?

No. CVE-2026-9919 is specific to Chrome on Android. Desktop Chrome and iOS Chrome versions are not affected by this WebGL out-of-bounds read flaw.

Do users need to click anything malicious for the attack to work?

Yes, the user must visit a webpage containing the malicious HTML. This could happen via a phishing email, a compromised website, or other social engineering. Simply having Chrome open is not sufficient; active navigation to the hostile page is required.

Will patching this break any apps or extensions?

No. Chrome version 148.0.7778.216 is a security patch release and does not introduce breaking changes. Existing apps and extensions should continue to function normally after the update.

What data could leak through this vulnerability?

The vulnerability allows out-of-bounds reads from Chrome's memory during WebGL processing, potentially exposing data from other origins (websites) that the user has open or has recently visited. This could include session tokens, cookies, or cached application state, depending on memory layout and what sites are active at the time of exploitation.

This analysis is provided for informational purposes and reflects the vulnerability details as of the publication and modification dates listed. Patch version numbers and availability should be verified against Google's official security advisory and Chrome release notes. Organizations should conduct their own risk assessment based on their specific Chrome deployment footprint, user population, and sensitive data exposure. SEC.co makes no warranty regarding the completeness or accuracy of affected version ranges beyond published source data. Always test patches in a controlled environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).