CVE-2026-9950: Same-Origin Policy Bypass in Chrome on iOS – Patch Now
A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9950 is a CWE-20 input validation weakness affecting the iOS variant of Google Chrome. The vulnerability allows bypass of the same-origin policy (SOP)—a fundamental browser security mechanism that prevents scripts from one origin from accessing resources on another origin. The attack requires two conditions: (1) prior compromise of the Chrome renderer process, and (2) user interaction with a crafted HTML page. Under these conditions, an attacker can cross origin boundaries to read non-sensitive data. The Chromium project assigned this a High security severity classification, though the resulting CVSS 3.1 score of 3.1 reflects the high bar for exploitation.
Business impact
While the CVSS score is low, the business context warrants attention. A successful attack requires renderer compromise first, limiting immediate real-world risk. However, if an attacker has already broken into Chrome's sandbox, this vulnerability could enable them to exfiltrate data from multiple origins—potentially accessing credentials, session tokens, or user-specific information across multiple websites. For organizations with users on iOS devices accessing sensitive web applications, this represents a secondary risk multiplier in a chain attack scenario.
Affected systems
Google Chrome on iOS running any version prior to 148.0.7778.216 is affected. The vulnerability is specific to iOS and does not apply to Chrome on Android, macOS, Windows, Linux, or Chrome OS. Organizations should verify the exact Chrome versions deployed to their iOS user base, particularly in BYOD environments or managed device scenarios where iOS is prevalent.
Exploitability
Exploitation has a high bar. An attacker must: (1) first compromise the Chrome renderer process through a separate vulnerability or attack, (2) convince a user to visit a crafted HTML page, and (3) have the victim interact with that page (the UI requirement is part of the CVSS calculation). The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been documented at the time of publication. The attack surface is narrower than a direct browser vulnerability, but should not be dismissed in threat modeling for organizations facing sophisticated adversaries.
Remediation
Update Google Chrome on iOS to version 148.0.7778.216 or later. Users can check their current version in Chrome settings (Menu > About Chrome) and apply updates through the iOS App Store. Organizations managing iOS devices through MDM solutions should push this update via their deployment channels. No workarounds exist; patching is the definitive remediation.
Patch guidance
For individual users: navigate to the iOS App Store, search for 'Google Chrome,' and tap Update if available. The patch will download and install automatically when you next open Chrome or manually if you select Install Now. For IT teams: deploy Chrome version 148.0.7778.216 or later through your mobile device management (MDM) solution. Verify deployment within 7–14 days. If your organization uses profile-based app version pinning, adjust policies to allow version 148.0.7778.216 or accept automatic updates. Test the patch in a pilot group before organization-wide rollout to ensure compatibility with critical web applications.
Detection guidance
Monitor Chrome version strings in your device inventory or MDM console for any instances running pre-148.0.7778.216. Check iOS App Store update logs and device compliance reports. Network-level detection is difficult without browser instrumentation; focus on inventory and asset management. If you suspect a renderer process compromise (unusual crashes, unexpected data access), isolate the device and review application logs. Endpoint detection and response (EDR) tools may flag unusual memory access patterns if the vulnerability is exploited in combination with a renderer compromise vector.
Why prioritize this
This vulnerability merits medium priority despite its low CVSS score. The reason: same-origin policy is a critical security pillar, and any bypass—even one requiring prior compromise—increases the blast radius of a successful renderer exploit. Organizations heavy on iOS and web-based SaaS should prioritize patching sooner. However, the high bar for exploitation (two-stage attack) and absence of public exploits mean this is not an emergency patch for all users; staged deployment over 2–3 weeks is reasonable.
Risk score, explained
The CVSS 3.1 score of 3.1 (Low) reflects a narrow attack vector: Network-based delivery, but requiring both High complexity (prior renderer compromise), No privileges, and User interaction. Confidentiality impact is Low (non-sensitive data only), with no integrity or availability impact. The score undersells the security principle at stake (SOP bypass) but accurately reflects real-world exploitability constraints. Organizations should weigh this against their threat model: if you face advanced adversaries capable of chaining vulnerabilities, the effective risk is higher than the score suggests.
Frequently asked questions
Why does this vulnerability have a High Chromium severity but a Low CVSS score?
Chromium severity reflects the class of flaw (same-origin policy bypass is inherently dangerous). CVSS scores the likelihood and impact of real-world exploitation. Here, the two-stage attack requirement (first compromising the renderer, then delivering a crafted page) significantly reduces practical risk, justifying the lower CVSS score. Both perspectives are valid; use CVSS for prioritization, Chromium severity for risk modeling.
Does this affect Chrome on Android, macOS, Windows, or other platforms?
No. This vulnerability is specific to iOS due to platform-specific input validation code. Chrome on other platforms is not affected, though they may have their own separate vulnerabilities. Always check vendor advisories for each platform independently.
Is this vulnerability actively being exploited?
Not as of the publication date. The vulnerability is not listed on CISA's KEV catalog, which tracks vulnerabilities with confirmed public exploitation. However, absence from KEV does not guarantee no exploitation; it means none has been widely documented or reported to CISA. Assume sophisticated threat actors may be aware of it.
What if I'm managing a fleet of iOS devices in an enterprise? How do I deploy the patch?
Use your MDM solution (Intune, Jamf, MobileIron, etc.) to push Chrome version 148.0.7778.216 or later to all enrolled devices. Set deployment to mandatory and staggered over 1–2 weeks to catch any unexpected app conflicts. Verify deployment compliance through your MDM dashboard before considering the issue resolved.
This analysis is based on publicly available information as of June 2026. SEC.co makes no warranty regarding completeness or accuracy. Always verify patch version numbers and compatibility against official vendor advisories before deployment. This vulnerability requires prior renderer process compromise; it is not an unqualified browser jailbreak. Organizations should conduct their own risk assessment based on their threat model, user base, and application landscape. No exploit code or weaponized proof-of-concepts are provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)