MEDIUM 4.3

CVE-2026-9955: Cross-Origin Data Leak in Google Chrome on iOS

A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9955 stems from an inappropriate implementation in the iOS version of Google Chrome that fails to properly enforce cross-origin access restrictions. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating a fundamental information disclosure flaw in the security model. An attacker delivers a specially crafted HTML page to a victim; when loaded in the affected Chrome version on iOS, the page can access and exfiltrate data from other origins that the victim has previously visited or is currently authenticated to. The Chromium project assigned this a High severity rating internally, though the CVSS 3.1 score of 4.3 reflects the requirement for user interaction (the victim must visit the attacker's page) and the confidentiality-only impact (no code execution, no data modification).

Business impact

Organizations whose users access sensitive web applications via Chrome on iOS—particularly financial services, healthcare, and enterprise SaaS platforms—face a data exposure risk. A successful attack could leak authentication tokens, personal information, or confidential documents. The impact is primarily confidentiality-driven; attackers cannot modify data or disrupt service directly, but stolen credentials or sensitive information could enable follow-on attacks. Companies managing BYOD environments where iOS devices access corporate web portals should assess exposure. The user-interaction requirement (visiting a malicious page) limits mass exploitation but doesn't eliminate risk in phishing or watering-hole attack scenarios.

Affected systems

Google Chrome on iOS versions prior to 148.0.7778.216 are vulnerable. Apple iPhone OS is the affected platform. Users on older Chrome versions running on any iPhone or iPad are at risk. Desktop Chrome and Chrome on Android are not impacted by this specific vulnerability. The fix is bundled in Chrome 148.0.7778.216 and later.

Exploitability

Exploitation requires user interaction—the victim must visit an attacker-controlled or compromised webpage. No authentication bypass, zero-click delivery, or complex user manipulation is necessary beyond standard social engineering. The attack surface is broad because the victim's browsing history and current session state can be queried by the malicious page. The attack is practical but not wormable or self-propagating; each victim must be individually lured to the exploit page. No public exploit code has been confirmed, and the vulnerability is not tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited in-the-wild exploitation at this time.

Remediation

Users must upgrade Google Chrome on iOS to version 148.0.7778.216 or later. This is a straightforward patch deployed through the App Store. There is no workaround; relying on user behavior changes (e.g., 'avoid visiting suspicious websites') is insufficient because the attack surface includes legitimate sites that may be compromised. Organizations should prioritize this patch in device management policies, particularly for users handling sensitive data.

Patch guidance

Deploy Chrome 148.0.7778.216 or later on all managed iOS devices via Mobile Device Management (MDM) or Mobile Application Management (MAM) solutions. Set Chrome to auto-update if not centrally managed. Verify successful deployment by checking the Chrome version string in Settings > About Google Chrome on affected devices. For organizations using Chrome Enterprise, consult Google's official security update documentation to confirm version numbers and deployment timelines. End users should enable automatic app updates in the App Store settings.

Detection guidance

Monitor for signs of data exfiltration from web applications, including unusual API calls from iOS devices or unexpected access patterns to sensitive endpoints. Implement network-level detection for anomalous traffic from Chrome on iOS clients. Application owners can use Content Security Policy (CSP) headers to restrict iframe embedding and reduce attack surface, though this does not address the underlying browser vulnerability. Log and alert on failed authentication attempts or session hijacking indicators following dates when Chrome was older than 148.0.7778.216. User agents and device metadata in web logs can help identify affected Chrome on iOS instances.

Why prioritize this

While the CVSS score is moderate (4.3), the vulnerability directly undermines browser security boundaries and affects confidentiality of sensitive web traffic. Given the prevalence of mobile banking, corporate VPN access, and SaaS applications via iOS Chrome, and the feasibility of targeted phishing attacks, this warrants prompt patching. The lack of KEV designation suggests this is not yet heavily exploited, providing a window for preventative action before adoption increases.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects: (1) Network-based attack vector requiring no special privileges; (2) Low attack complexity—no special conditions needed beyond delivery of a malicious page; (3) Required user interaction—the victim must navigate to the attacker's site; (4) Confidentiality impact—data leakage is the primary harm; (5) No integrity or availability impact. The moderate score appropriately captures a real but not critical threat. The Chromium High severity rating and the privacy-invasive nature of cross-origin data theft justify treating this as higher priority than the CVSS alone suggests, especially in environments with high-value web applications.

Frequently asked questions

Can this vulnerability steal my login credentials or financial data?

Yes, if a malicious webpage can read data from another origin you're authenticated to, it may access cookies, session tokens, or sensitive information those sites display. This could include banking details, personal records, or email content, depending on what your browser has cached and what the target website exposes.

Do I need to do anything if I've already been using Chrome 148.0.7778.216 or later?

No. If your Chrome on iOS is already at version 148.0.7778.216 or later, you are not affected by this vulnerability. Check Settings > About Google Chrome in the Chrome app to confirm your version.

Is this vulnerability affecting Chrome on Android or desktop Chrome?

No. CVE-2026-9955 is specific to Chrome on iOS. Android and desktop users are not impacted by this particular flaw, though they should keep their browsers updated to protect against other vulnerabilities.

What should I do if I suspect I've visited a malicious site before patching?

If you were using an affected version of Chrome on iOS before patching, you cannot undo a potential data leak. After updating to the patched version, monitor your accounts for suspicious activity, consider changing passwords for sensitive services, and watch for phishing or unusual account access attempts.

This analysis is provided for informational purposes and represents a point-in-time assessment based on publicly available data as of the publication date. Patch versions and availability dates are subject to change; always verify against official vendor advisories before deploying updates. This document does not constitute legal or professional security advice. Organizations should conduct their own risk assessments and consult with security teams before taking remediation actions. No exploit code or weaponizable proof-of-concept information is included herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).