MEDIUM 4.3

CVE-2026-9943: Chrome Android WebGL Out-of-Bounds Read – Cross-Origin Data Leak

A memory access flaw in Google Chrome's WebGL implementation on Android allows attackers to read data from other websites through a specially crafted web page. When a user visits the malicious page, the attacker can extract information (such as authentication tokens, session cookies, or sensitive content) from sites the user is logged into. This is a cross-origin data leak—meaning the attacker can access information meant to be isolated to other domains.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9943 is an out-of-bounds read vulnerability (CWE-125) in the WebGL graphics subsystem of Chrome on Android. The flaw permits remote code execution of arbitrary memory reads that bypass the security boundary between origin contexts. An attacker crafting a malicious HTML page can trigger the out-of-bounds access during WebGL rendering, leaking cross-origin application state to the attacker's context. The Chromium security team assessed this as High severity, though the CVSS v3.1 score of 4.3 reflects the requirement for user interaction (visiting the page) and the limited attack surface on mobile platforms. Affected versions include Chrome for Android prior to 148.0.7778.216.

Business impact

This vulnerability poses a data exfiltration risk to organizations whose users access sensitive web applications on Android devices. If employees use Chrome on Android to access internal tools, email, or cloud services, an attacker could harvest session tokens or sensitive information by tricking them into visiting a malicious site. The cross-origin nature means attackers can target any site the user is authenticated to. For enterprises with significant Android adoption, especially in BYOD environments, this represents a credential and data theft vector. The requirement for user interaction moderates risk somewhat—users must visit the attacker-controlled page—but phishing and malicious advertisements are common attack vectors.

Affected systems

Google Chrome running on Android devices with versions prior to 148.0.7778.216 are affected. Desktop and other platform versions of Chrome are not impacted. The vulnerability is specific to the WebGL rendering pipeline on the Android OS, leveraging platform-specific memory management differences. Both personal devices and managed corporate Android deployments are at risk if they run vulnerable Chrome versions.

Exploitability

Exploitability requires a remote attacker to serve a crafted HTML page and convince a user to visit it—a social engineering or drive-by attack scenario. No authentication or special privileges are required. Once the user lands on the page, the malicious JavaScript can trigger the out-of-bounds read automatically without further user action. The vulnerability is network-reachable and low-complexity to trigger, making it suitable for mass phishing or malicious advertisement campaigns. However, it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been widespread or publicly documented at time of assessment.

Remediation

Upgrade Google Chrome on Android to version 148.0.7778.216 or later. Users should check Settings > About Chrome on their Android devices to verify the current version and trigger auto-update if available. Organizations managing Android devices via Mobile Device Management (MDM) should prioritize rollout of the patched version. Given the moderate CVSS score and lack of KEV status, remediation should be included in the next standard update cycle rather than treated as emergency, but should not be indefinitely delayed.

Patch guidance

Google has released Chrome 148.0.7778.216 for Android with a fix for this WebGL out-of-bounds read. Verify this version number against the official Google Chrome Release Notes and Android Security & Privacy Year in Review documentation. Enable automatic updates in Chrome settings to ensure seamless deployment. Organizations should test the patched version in a limited Android environment first to confirm no compatibility issues with internal web applications, particularly those using WebGL (less common but possible in specialized tools). Rollout can proceed to all devices once testing is complete.

Detection guidance

Monitor for suspicious WebGL activity or errors in Chrome on Android via device logs and MDM telemetry if available. At the network level, inspect for unexpected data exfiltration from user devices to unfamiliar domains during or after web browsing sessions. Endpoint Detection and Response (EDR) tools on corporate-owned Android devices may flag unusual memory access patterns, though Chrome sandboxing typically isolates such activity. Threat intelligence feeds monitoring for malicious HTML payloads designed to trigger WebGL exploits can provide early warning. Organization security teams should advise users to report unexpected behavior (crashes, hangs) when visiting certain websites.

Why prioritize this

While the CVSS score of 4.3 is moderate and there is no evidence of widespread active exploitation, the attack vector (network, no authentication, user interaction only) and the nature of cross-origin data leakage warrant timely patching. Android is increasingly used for business purposes, and session token theft directly threatens corporate security posture. The lack of KEV status suggests this is not yet a mass-exploitation target, making it easier to patch before attackers shift focus. Prioritize deployment to devices accessing sensitive corporate web services.

Risk score, explained

The CVSS v3.1 score of 4.3 (Medium severity) reflects: (1) network-based remote attack vector with no requirement for privileges or authentication; (2) low attack complexity; (3) required user interaction (visiting a malicious page); (4) confidentiality impact limited to the scope of a single origin context; and (5) no impact on integrity or availability. The high Chromium severity rating indicates the browser vendor's concern about the root cause and potential for cross-origin data leakage, even though the CVSS metric weighting constrains the numerical score. Organizations should not discount this based solely on the CVSS number—data exfiltration, even with user interaction required, is a serious concern in modern web threat models.

Frequently asked questions

Does this vulnerability allow arbitrary code execution?

No. This is a data read vulnerability (out-of-bounds read), not a code execution flaw. An attacker can leak information from memory, such as session tokens or cross-origin data, but cannot execute arbitrary commands on the device or take over the browser process directly.

Is this vulnerability actively exploited in the wild?

As of the last assessment, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. There is no public evidence of widespread active exploitation, though it is prudent to assume attackers are aware of the flaw and may develop exploits as the public disclosure matures.

What versions of Chrome are vulnerable?

Google Chrome on Android versions prior to 148.0.7778.216 are vulnerable. Desktop Chrome, Chrome on iOS, and other platforms are not affected. Check your Android device's Chrome version in Settings > About Chrome.

Can an attacker exploit this without the user visiting a malicious page?

The attacker must trick the user into visiting a crafted HTML page—either via phishing, malicious advertisement, compromised website, or similar social engineering. Once the user is on the page, the exploit can trigger automatically, but initial user action is required to initiate the attack.

This analysis is provided for informational purposes to support security decision-making. The details herein are derived from official vulnerability data sources and Chromium security advisories. Organizations should independently verify patch version numbers and compatibility against their own environment before deployment. This vulnerability analysis does not constitute legal advice or a guarantee of security outcome. Always consult vendor advisories and your organization's incident response and vulnerability management policies before taking action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).