MEDIUM 4.3

CVE-2026-9929: Chrome Android WebGL Cross-Origin Data Leak Vulnerability

A flaw in how Google Chrome on Android handles WebGL—a technology that enables 3D graphics in web browsers—could allow an attacker to trick a user into visiting a malicious webpage and expose data from other websites the user has open. The attacker cannot force this to happen; the user must interact with the page, such as by clicking or scrolling. This is a cross-origin data leak, meaning sensitive information from one domain could become visible to JavaScript code running on an attacker's domain.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9929 is an inappropriate implementation vulnerability in the WebGL subsystem of Google Chrome on Android. The flaw permits cross-origin data leakage when a user visits a crafted HTML page. The attack surface is the rendering engine's WebGL implementation, which does not properly isolate graphics memory or context state between origins. An attacker can construct a webpage that, through crafted WebGL operations, reads or infers data from other open tabs or frames. Chromium classifies this as High severity internally, though the CVSS 3.1 score of 4.3 reflects the requirement for user interaction and the limited direct impact (confidentiality only, no integrity or availability loss).

Business impact

For most organizations, the risk is indirect but non-negligible. End users—especially those handling sensitive work in web applications—could have session tokens, form data, or other cross-origin content leaked to attacker-controlled scripts. This is particularly concerning in multi-tab browsing scenarios where users may have authentication credentials or sensitive applications open simultaneously. Affected organizations should prioritize patching for employees and users with elevated access to critical web-based systems, though the user-interaction requirement and medium CVSS score mean this is not a critical emergency for most deployments.

Affected systems

Google Chrome on Android versions prior to 148.0.7778.216 are vulnerable. Desktop Chrome and Chrome on iOS are not mentioned in the advisory, suggesting they may be unaffected or were patched separately. Android users on older Chrome versions, particularly those on unmanaged personal devices, represent the primary exposure. Organizations should check Chrome version distribution in their BYOD and managed Android fleets.

Exploitability

Exploitability is moderate. An attacker must craft a malicious HTML page and convince or trick a user into visiting it—phishing, social engineering, watering-hole attacks, or malvertising are typical vectors. The attack does not require the user to grant special permissions or accept prompts beyond normal browsing. No known public exploits are tracked by CISA (KEV status is false), but the attack is straightforward enough that proof-of-concept code could emerge once the patch is widely available and researchers compare versions. The barrier to exploitation is low once an attacker has a distribution channel.

Remediation

Update Google Chrome on Android to version 148.0.7778.216 or later. Users can check their Chrome version in Settings > About Chrome, which will trigger an automatic update check. For organizations managing Android devices, deploy this patch via your EMM (Enterprise Mobility Management) solution, MDM policy, or employee communication directing users to update manually. Verify the version has incremented after the update completes, as some devices may cache older versions briefly.

Patch guidance

Google released patch version 148.0.7778.216 for Chrome on Android. Verify this version number in your environment post-update using Chrome's Settings > About Chrome panel or via MDM telemetry. If your organization uses a Chrome Enterprise policy server, confirm that the minimum version policy has been updated to reflect the patched version. For BYOD scenarios, communicate the patch urgently to users and monitor Chrome Sync data if available to estimate update compliance. No interim mitigations are available; patching is the only remediation.

Detection guidance

Monitor for anomalous WebGL activity in browser console logs or network telemetry. Look for unusual cross-origin fetch requests or XHR calls originating from unexpected frames or pop-ups, especially if they coincide with user reports of data exposure. Check for suspicious inline scripts or WebGL shader code in web traffic inspection tools. On Android devices, endpoint detection tools may flag suspicious Chrome child processes spawning WebGL rendering threads. Proactive detection is challenging; focus instead on rapid patching and user education about avoiding untrusted websites.

Why prioritize this

Prioritize this patch for users with access to sensitive web applications, financial systems, or authentication-required SaaS platforms. The cross-origin data leak risk is elevated when users maintain multiple sensitive sessions in parallel. However, the CVSS score of 4.3, lack of KEV tracking, and requirement for user interaction place this below zero-day critical patches or actively exploited vulnerabilities. It should fit into a regular monthly patch cycle rather than emergency patching, unless you have evidence of targeted attacks in your sector.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects: Network-based attack vector (AV:N, low bar); low attack complexity (AC:L, no special setup required); no privilege escalation (PR:N); but critically, user interaction required (UI:R, must visit the page). Confidentiality impact is Low (C:L)—data may leak but is not wholesale theft—and no Integrity or Availability impact. The Chromium internal rating of High likely reflects the ease of exploitation and severity of cross-origin leaks from a browser-architecture perspective, but CVSS penalizes it for the user-interaction gate and limited scope. For risk prioritization, consider the user interaction requirement as a substantial mitigating factor.

Frequently asked questions

Does this vulnerability affect Chrome on my desktop or iPhone?

No. CVE-2026-9929 is specific to Chrome on Android. Desktop Chrome (Windows, macOS, Linux) and Chrome on iOS are not listed as affected in this advisory. Check the official Google Chrome release notes or contact your vendor if you need confirmation for your specific platform.

Can this vulnerability steal my passwords or session cookies?

Potentially, yes. The vulnerability allows cross-origin data leakage, which could include session tokens or sensitive data in the DOM of other tabs or pages you have open. This is why users with multiple sensitive web applications open simultaneously face higher risk. Update Chrome immediately to close this gap.

Is there a way to work around this vulnerability without updating Chrome?

No reliable workaround exists. Users can reduce risk by avoiding untrusted websites and not opening multiple sensitive web applications in the same browser session, but these are not substitutes for patching. Update to version 148.0.7778.216 or later as soon as possible.

Why is this marked MEDIUM severity if it's a cross-origin data leak?

CVSS scores account for attack complexity, privilege requirements, and user interaction. Although cross-origin leaks are serious, this vulnerability requires a user to voluntarily visit a malicious page, which lowers the automatic severity score. Chromium's internal assessment of High reflects the technical severity; CVSS adjusts downward for practical exploitation barriers.

This analysis is provided for educational and risk-management purposes. All patch versions, CVE identifiers, and CVSS scores are sourced from official vendor advisories and NIST CVE records. Organizations should verify all technical claims against the latest Google Chrome and Android security bulletins before implementing changes. No exploit code or weaponized proof-of-concept is provided. This document does not constitute legal advice or a guarantee of security. Consult your vendor and internal security team for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).