CVE-2026-9930: Out-of-Bounds Write in Chrome for macOS
An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-787
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Out of bounds write in Dawn in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9930 is an out-of-bounds write flaw (CWE-787) in the Dawn graphics abstraction layer used by Chromium. The vulnerability exists in Chrome for macOS and allows a remote attacker to write beyond buffer boundaries via a specially crafted HTML payload. The attack vector is network-based with no privilege requirement, though successful exploitation depends on user interaction. Chromium has classified this as High security severity within their internal taxonomy, whereas the CVSS v3.1 score of 4.3 reflects a Medium severity rating with limited impact to integrity (I:L) and no impact on confidentiality or availability. The discrepancy between Chromium's severity label and the CVSS score suggests the vulnerability's real-world exploitation may be constrained by browser sandbox protections or other mitigating factors.
Business impact
For organizations with macOS users running vulnerable versions of Chrome, this vulnerability presents a targeted attack surface, particularly if those users browse untrusted or compromised websites. The primary risk is data integrity corruption rather than data exfiltration or system unavailability. However, out-of-bounds writes in graphics components can occasionally be chained with other flaws to escape sandbox restrictions, which would elevate risk significantly. Organizations should assess the prevalence of vulnerable Chrome versions in their environment and the criticality of the systems on which those browsers run. This is not an enterprise-grade threat that justifies emergency IR mobilization, but it warrants standard patch cycle inclusion.
Affected systems
The vulnerability is specific to Google Chrome on Apple macOS prior to version 148.0.7778.216. It does not affect Chrome on Windows, Linux, or other platforms, nor does it affect other Chromium-based browsers unless they independently integrate the affected Dawn version without patching. macOS users on older or unpatched Chrome builds remain exposed; enterprise deployments should verify their Chrome version against the fixed build number.
Exploitability
Exploitation requires a remote attacker to host or inject a malicious HTML page and convince or trick a user into visiting it—there is no watertight method to force code execution through this flaw alone. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is straightforward to mount (low complexity) but strictly dependent on user action. The vulnerability is not known to be exploited in the wild, as it has not been added to the CISA KEV catalog. No public exploit code is available. The Chromium sandbox will likely prevent the memory corruption from directly compromising the host OS, though attackers could potentially use this alongside renderer process exploits to break out of the sandbox.
Remediation
Update Google Chrome on macOS to version 148.0.7778.216 or later. Users can enable automatic updates in Chrome settings (Chrome menu > Settings > About Chrome), which will trigger a download and install cycle, typically requiring a browser restart. Organizations should verify patch deployment through mobile device management (MDM) solutions or enterprise Chrome update policies to ensure no machines remain on vulnerable versions.
Patch guidance
Navigate to Chrome's Settings > About Chrome to check the current version and force an immediate update check. The patch is cumulative; simply updating to 148.0.7778.216 or any later version resolves the vulnerability. Verify the browser restarts to complete the update. For managed deployments, confirm that Chrome enterprise policies (update_default or similar) are configured to allow auto-updates, and validate patch application across your device inventory within 2–4 weeks of release depending on your risk tolerance and the prevalence of vulnerable versions in your environment.
Detection guidance
Monitor Chrome version compliance via endpoint detection and response (EDR) tools, mobile device management consoles, or manual inventory scans on macOS devices. Look for any instances of Chrome prior to 148.0.7778.216. Web traffic inspection can identify suspicious HTML payloads attempting to trigger out-of-bounds writes, though the specific payload signature is difficult to generalize without access to exploit proof-of-concepts. Network-based detection is less viable; endpoint version monitoring is the primary control.
Why prioritize this
Although Chromium rates this as High severity, the CVSS v3.1 Medium score (4.3) and lack of active exploitation (KEV not listed) place this in the standard patching queue rather than the emergency category. The graphics layer vulnerability combined with the macOS-only scope and user-interaction requirement reduces the blast radius. Prioritize patching for users who frequently visit untrusted websites or receive phishing campaigns, and ensure standard-cadence updates are applied fleet-wide within 30 days.
Risk score, explained
The CVSS score of 4.3 reflects the limited scope of impact: integrity is affected (ability to write out of bounds) but confidentiality and availability are not directly impacted. The requirement for user interaction (UI:R) and network attack vector (AV:N, AC:L) yield a Medium severity. Chromium's internal High severity label may reflect a higher theoretical risk of sandbox escape or chaining with other renderer bugs, but the observed impact in the wild appears constrained by browser isolation features. The absence of KEV catalog inclusion indicates no active, widespread exploitation as of the advisory date.
Frequently asked questions
Does this vulnerability affect Chrome on Windows or Linux?
No, CVE-2026-9930 is specific to Chrome on macOS prior to version 148.0.7778.216. Chrome on Windows and Linux are not affected by this particular flaw, though they may be subject to other vulnerabilities patched in the same release.
Can this vulnerability be exploited without user interaction?
No. The vulnerability requires a user to visit a malicious HTML page. There is no mechanism for a remote attacker to trigger the flaw without some form of user engagement, such as clicking a link or browsing to a compromised site.
Is this vulnerability actively being exploited?
As of the advisory date, this vulnerability has not been added to the CISA KEV (Known Exploited Vulnerabilities) catalog and no public exploits are known. This suggests active, widespread exploitation is not occurring, though targeted attacks are always possible.
What is the difference between Chromium's High severity and the CVSS Medium score?
Chromium's internal severity classification may account for potential sandbox-escape scenarios or chaining with other flaws, whereas CVSS v3.1 measures only the direct impact of the vulnerability in isolation. The CVSS score reflects that integrity is affected (ability to write memory) but confidentiality and availability are not directly compromised by this flaw alone.
This analysis is provided for informational purposes and reflects the state of vulnerability intelligence as of the advisory date. CVSS scores, patch versions, and KEV status are current as of the source data; readers should verify patch applicability and organizational risk tolerance independently. No exploit code or weaponized proof-of-concept details are provided. Organizations should assess this vulnerability within their own risk framework and update policies. Chromium's internal severity classification may differ from CVSS; both perspectives inform a complete risk picture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10925HIGHSkia Out-of-Bounds Write Enables macOS Chrome Sandbox Escape
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-9879HIGHCritical Out-of-Bounds Write in Chrome ANGLE Graphics Engine
- CVE-2026-9896HIGHChrome V8 Out-of-Bounds Write RCE – Patch to 148.0.7778.216
- CVE-2026-9910HIGHChrome ANGLE Out-of-Bounds Memory Access – Exploit & Patch Guide