CVE-2026-9959: Chrome WebRTC Race Condition Leaks Cross-Origin Data on Windows
A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-362
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9959 is a race condition (CWE-362) in Chrome's WebRTC implementation on Windows platforms. The flaw exists in versions prior to 148.0.7778.216 and permits a remote attacker to bypass same-origin policy protections and read cross-origin data through carefully timed interactions with WebRTC session establishment or communication channels. The race window is narrow and non-deterministic, making reliable exploitation difficult. The vulnerability does not afford code execution or denial of service; its impact is confined to confidentiality of data that should remain isolated between origins.
Business impact
Organizations with Windows-based users accessing web applications leveraging WebRTC (video conferencing, real-time communication, collaborative tools) face a risk of sensitive session data exposure. An attacker could craft a malicious webpage to trick users into opening it, potentially exfiltrating data such as authentication tokens, user identifiers, or communication metadata from concurrent cross-origin sessions. The practical risk is lower than the underlying technical severity suggests, given the exploitation barriers. However, any cross-origin data leak affecting authentication or personal information warrants prompt remediation to prevent reputational damage and compliance issues.
Affected systems
Directly affected: Google Chrome on Windows, all versions prior to 148.0.7778.216. Indirectly affected: Any Windows user relying on Chrome for web applications that use WebRTC. Microsoft Windows is listed as a vendor/product but is not inherently vulnerable; it is the host OS. No other Chromium-based browsers (Edge, Brave, Opera, etc.) are mentioned in the CVE description, though they may warrant review if they incorporate affected WebRTC code from upstream Chromium.
Exploitability
Exploitation requires a remote attacker to craft and host a malicious HTML page, then socially engineer or trick a user into opening it while the victim has a cross-origin WebRTC session or related tab active. The attack requires precise timing to win a race condition, which reduces reliability. No public exploit code is known to be in active circulation; the vulnerability is not tracked in CISA's KEV catalog. Automated vulnerability scanning and endpoint telemetry are unlikely to detect exploitation attempts without WebRTC-aware monitoring. An attacker with the ability to inject JavaScript into a webpage (e.g., via XSS or compromise of a third-party script) could attempt exploitation without user awareness.
Remediation
Update Google Chrome to version 148.0.7778.216 or later on all Windows systems. Chrome's auto-update mechanism should deploy this patch within days; verify deployment status in your environment. Organizations using Chrome Fleet Management or other centralized deployment should prioritize this update to mitigate cross-origin data leaks. Users can manually check for updates via Chrome Settings > About Google Chrome. No compensating controls exist for WebRTC race conditions; patching is the only remediation.
Patch guidance
Google has released Chrome 148.0.7778.216 to address this vulnerability. Deploy this update across Windows endpoints with high priority, especially systems used by employees accessing web-based communication platforms, customer-facing applications, or internal collaborative tools. Verify rollout through Chrome's built-in update checks and admin reporting tools. If your organization uses Chrome for education, healthcare, finance, or any domain handling sensitive data, prioritize this patch in your vulnerability management workflow. Stagger rollout if needed to detect compatibility issues, but complete deployment within 2–4 weeks.
Detection guidance
Monitor for Chrome version compliance using endpoint management tools (Intune, Workspace ONE, osquery, etc.). Audit which Windows systems are running Chrome versions before 148.0.7778.216. Enable WebRTC logging and packet inspection on network monitors if your organization runs traffic analysis for high-security environments—look for anomalous WebRTC signaling or STUN/TURN communications. Endpoint Detection and Response (EDR) solutions may flag cross-origin data access patterns if they understand WebRTC semantics, but most will not. Prioritize patching over detection, as the vulnerability is difficult to identify post-compromise without application-level logging.
Why prioritize this
Although the CVSS score is low (3.1), this vulnerability warrants timely patching because it enables silent cross-origin data theft in a ubiquitous browser, affects a high-value attack surface (WebRTC communications), and likely impacts many Windows environments. The practical exploitation barriers (race condition, user interaction, timing) prevent it from reaching critical priority, but the confidentiality impact and Chromium's High severity rating justify treating it as a medium-priority remediation over other low-CVSS issues. Organizations handling sensitive user data or using Chrome for regulated workflows should patch within 2–4 weeks; general enterprise environments can follow standard patch cadences.
Risk score, explained
The CVSS 3.1 score of 3.1 (LOW) reflects: (1) remote network attack vector (AV:N) with no privilege requirement (PR:N), (2) high attack complexity (AC:H) due to the race condition and timing sensitivity, (3) requirement for user interaction (UI:R), (4) no impact on integrity or availability (I:N, A:N), and (5) confidentiality impact confined to a single security context (S:U, C:L). While Chromium flagged the underlying issue as High severity due to cross-origin data leaks, the CVSS model correctly downrates the practical risk because reliable exploitation is difficult and impact is scoped to information disclosure. The gap between Chromium severity and CVSS reflects the difference between theoretical vulnerability and practical exploitability.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The vulnerability requires a user to visit or interact with a crafted webpage. Automated background exploitation is not possible. However, if an attacker controls a webpage the victim frequents (e.g., via ad injection or third-party script compromise), exploitation could occur without obvious user awareness.
Does this vulnerability affect Chromium-based browsers like Microsoft Edge?
The CVE description specifically mentions Google Chrome on Windows. Other Chromium-based browsers may be affected if they use the same vulnerable WebRTC code, but this is not stated in the advisory. Organizations using Edge, Brave, or other Chromium forks should check vendor advisories for related patches.
What data can be stolen by this exploit?
The vulnerability allows reading of cross-origin data—specifically data that belongs to a different website or origin than the attacker's page. In the context of WebRTC, this could include session identifiers, user identifiers, communication metadata, or other sensitive information stored or transmitted by concurrent web sessions. It does not directly expose user files or passwords, but could compromise authentication tokens.
Is patching the only solution?
Yes. There is no practical workaround or mitigation short of updating to the patched version. Disabling WebRTC is possible but will break legitimate video conferencing and real-time communication features in Chrome.
This analysis is for informational purposes and does not constitute legal, security, or compliance advice. Patch version numbers, affected product versions, and CVSS scores are based on official vendor advisories and CVE records as of the publication date; verify all details against the latest vendor security bulletins before deployment. Race conditions are complex; exploitation may vary by system configuration, timing, and WebRTC implementation details. Organizations should conduct internal testing in non-production environments before rolling out patches widely. SEC.co assumes no liability for patch deployment outcomes or security decisions made in reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-9944LOWChrome ANGLE Memory Leak Cross-Origin Data Disclosure
- CVE-2026-9991LOWChrome Media Cross-Origin Data Leak on Windows
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis