LOW 3.1

CVE-2026-9920: Chrome Android GPU Memory Leak Vulnerability

Google Chrome on Android contains a vulnerability in GPU memory handling that could allow an attacker who has already compromised the browser's renderer process to access sensitive data from websites that should be isolated from each other. The vulnerability stems from uninitialized memory in the GPU code path, which under specific conditions could leak cross-origin data through a malicious webpage. This requires the renderer process to be compromised first, making it a secondary exploitation step rather than a direct entry point.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-457
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9920 is an uninitialized use vulnerability (CWE-457) in the GPU rendering subsystem of Chromium on Android. An attacker who has achieved renderer process compromise can craft an HTML page that triggers use of uninitialized GPU memory to leak sensitive data from cross-origin contexts. The vulnerability was classified as High severity by the Chromium security team but received a CVSS 3.1 score of 3.1 (Low) due to the high barrier to exploitation: the attacker must first compromise the renderer process, and the user must interact with the malicious page. The fix is included in Chrome version 148.0.7778.216 and later.

Business impact

While this vulnerability requires a prior renderer compromise to exploit, it represents a data confidentiality risk within an already-attacked browser session. For organizations managing Android devices in regulated industries (finance, healthcare, law), the potential to leak cross-origin data could amplify the impact of other attacks. The low CVSS score reflects the attack complexity, but the underlying GPU memory safety issue warrants timely patching to prevent opportunistic chaining with other Android or Chrome vulnerabilities.

Affected systems

Google Chrome on Android versions prior to 148.0.7778.216 are affected. The vulnerability is specific to the Android platform and does not affect Chrome on Windows, macOS, or Linux. Organizations running Chrome on managed Android devices, particularly those supporting legacy device models with outdated GPU drivers, may experience slower patch adoption.

Exploitability

Exploitation requires a high-barrier attack chain: first, the renderer process must be compromised (via another vulnerability or user deception), and second, the attacker must craft a specific HTML payload to trigger the uninitialized GPU memory access. The need for user interaction (UI:R) and high attack complexity (AC:H) significantly limit real-world exploitation. There is no evidence of active exploitation in the wild, and this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Update Google Chrome on Android to version 148.0.7778.216 or later. For managed Android environments, enable automatic updates or configure a mobile device management (MDM) solution to enforce timely Chrome updates. Organizations should validate that target Android devices support the latest Chrome version; older device models may have GPU driver limitations that prevent full patching.

Patch guidance

Priority for patching should be moderate, aligned with regular Chrome release cycles. Android device administrators should verify Chrome auto-update functionality is enabled in their fleet. For organizations using managed Chrome (via enterprise policies), ensure MDM policies enforce the minimum version constraint. Test patches on a small cohort of devices before broad rollout to identify any compatibility issues with GPU-accelerated rendering on diverse Android hardware.

Detection guidance

Detection of exploitation is challenging without renderer process introspection. Organizations should monitor for unusual cross-origin data exfiltration patterns in network logs (look for unexpected outbound connections from the Chrome process) and review crash logs for GPU-related segmentation faults. On managed Android devices, enable logging for Chrome sandbox violations. Behavioral indicators of renderer compromise (high CPU usage, unexpected battery drain, network anomalies) are more easily observable and warrant investigation.

Why prioritize this

Although the CVSS score is low, the vulnerability should be prioritized in regular patching cadences because: (1) it involves GPU memory safety, a complex subsystem with historical exploitation difficulty; (2) it affects a ubiquitous mobile browser where Android users often run untrusted applications; and (3) it is most dangerous in contexts where prior renderer compromise is plausible (e.g., devices running apps with history of security issues). However, it should not pre-empt remediation of higher-severity vulnerabilities affecting the same systems.

Risk score, explained

The CVSS 3.1 score of 3.1 (Low) reflects the attack prerequisites: network-based delivery (AV:N) but high attack complexity (AC:H) due to the need for renderer compromise, no privilege escalation required (PR:N), user interaction needed (UI:R), confidentiality impact limited to cross-origin data leaks (C:L), no integrity or availability impact (I:N, A:N), and unchanged scope (S:U). While Chromium's internal assessment was High severity, the CVSS model correctly downrates it due to the necessary preconditions. Organizations should not dismiss it as negligible but should triage it below critical/high-severity vulnerabilities.

Frequently asked questions

Does this vulnerability allow attackers to directly compromise my Chrome browser from the internet?

No. The vulnerability requires the renderer process to already be compromised through another attack or social engineering. It is a secondary exploitation step that leaks data from an already-compromised session. Users should still practice safe browsing and keep Chrome updated, as they do against all attacks.

What data can be leaked if this vulnerability is exploited?

The vulnerability allows access to sensitive data from cross-origin contexts—for example, data from one website that should be isolated from another. The exact scope depends on what data was present in GPU memory at the moment of exploitation. This could include fragments of cached webpage content, authentication tokens, or other in-flight data, but only if the attacker has already compromised the renderer process.

Is this vulnerability actively being exploited in the wild?

No. There is no evidence of active exploitation. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, and the high barrier to exploitation (requiring prior renderer compromise) makes it unlikely to be an easy target for attackers.

Should I prioritize this patch over other updates I'm managing?

Patch it on your regular Chrome update schedule, but do not deprioritize other higher-severity vulnerabilities to address this one. For managed Android fleets, ensure auto-update is enabled and monitor for successful rollout to version 148.0.7778.216 or later over the next few weeks.

This analysis is based on official CVE data and Chromium security advisories current as of the publication date. Patch version numbers and affected versions should be verified against Google's official Chrome release notes and security advisories. Organizations should consult their internal security policies and risk frameworks when prioritizing remediation. SEC.co provides this analysis for informational purposes; it does not constitute legal advice or a guarantee of protection. Always conduct internal testing before deploying patches to production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).