CVE-2026-9963: Chrome iOS Uninitialized Memory RCE—Patch Now
A memory initialization flaw in Google Chrome for iOS (versions before 148.0.7778.216) could allow an attacker to run malicious code within the browser's sandbox if a user visits a crafted webpage and performs specific touch interactions. The vulnerability requires active user engagement to exploit—simply landing on a malicious site is not enough. Code execution remains confined to the browser sandbox, limiting direct system compromise but still posing a meaningful threat to user data and browser security.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-457
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9963 is an uninitialized use-after-free or memory access vulnerability (CWE-457) occurring in iOS-specific code paths within Chromium's rendering or JavaScript engine. The flaw manifests when a user interacts with page elements through specific gestures (tap, swipe, or similar UI actions) on attacker-controlled HTML. The uninitialized memory state allows code execution within the browser process sandbox. Chrome's sandboxing architecture mitigates full system compromise, but sandbox escapes remain a secondary risk. The issue is tracked as high severity by the Chromium security team.
Business impact
For organizations supporting iOS users accessing internal web applications or relying on Chrome for mobile browsing, this vulnerability can lead to session hijacking, credential theft, and unauthorized access to sensitive data rendered in the browser. While sandboxed execution limits OS-level attacks, compromised browser state may leak authentication tokens, personal information, and enterprise data. Business continuity risks include widespread mobile device compromise if users run unpatched versions across a fleet. Regulatory exposure exists for organizations handling regulated data on unpatched mobile browsers.
Affected systems
The vulnerability affects Google Chrome on iOS versions 148.0.7778.215 and earlier. Chrome on Android and desktop platforms are not affected by this iOS-specific memory initialization flaw. However, any organization with BYOD policies or employee-owned iPhones running unpatched Chrome faces exposure. Users on iOS 16 and later with current Chrome updates are protected; those on older Chrome builds or in organizations with slow patch cycles remain at risk.
Exploitability
Exploitation requires convincing a user to visit a malicious webpage and interact with it through specific UI gestures. This is a moderate bar—not as trivial as a drive-by download, but realistic in phishing campaigns, watering-hole attacks, or compromised advertising networks. No privilege escalation is needed; the attacker merely needs user engagement. The requirement for specific gestures (rather than passive page load) suggests the flaw is tied to event-handling or touch-input processing. Exploit code is not publicly known at this time, but the Chromium team classified it as 'High' severity, indicating development teams likely have internal proofs-of-concept.
Remediation
Update Google Chrome on iOS to version 148.0.7778.216 or later immediately. iOS users should enable automatic app updates in the App Store settings to prevent future delays. Organizations should audit mobile device management (MDM) policies to enforce Chrome version minimums and restrict access from older builds. For enterprises deploying internal web applications, consider server-side protections such as strict Content Security Policy headers and input validation to reduce attack surface. Monitor for any unusual browser process behavior on managed devices.
Patch guidance
Google Chrome on iOS is updated through the Apple App Store. Users with manual update settings should open the App Store, navigate to their profile, and force-check for Chrome updates. Organizations using Mobile Device Management (MDM) solutions (Jamf, Microsoft Intune, etc.) can push Chrome updates to managed devices; consult your MDM vendor's documentation for Chrome version control policies. Verify the installed version in Chrome Settings > About Google Chrome, which displays the current build number. Devices running iOS 15 or earlier may face compatibility constraints; confirm that Chrome 148.0.7778.216 is installable on your target iOS versions before enforcement.
Detection guidance
Monitor for suspicious Chrome process crashes or high memory consumption on employee iOS devices, which may indicate exploitation attempts. Network-level detection is limited since traffic is encrypted (HTTPS); however, watch for unusual user-agent patterns or requests to known malicious domains from iOS Chrome clients. Endpoint Detection and Response (EDR) tools on macOS or Android cannot directly monitor iOS, but organizations can use MDM console logs to track Chrome versions and flag devices running vulnerable builds. User reports of unexpected browser behavior, page crashes, or device slowness after visiting specific sites warrant investigation. Analyze web server logs for requests with suspicious payloads or unusual touch event patterns if you host web applications.
Why prioritize this
This vulnerability merits urgent priority due to its high CVSS score (7.5), the requirement for no special privileges, and the prevalence of iOS devices in both consumer and enterprise environments. While exploitation requires user interaction, the bar is relatively low in phishing and watering-hole scenarios. The lack of KEV designation suggests CISA has not yet flagged active exploitation, but widespread availability of unpatched Chrome users makes this an attractive target. Organizations with significant iOS user bases should prioritize patching within 48–72 hours; others within 2 weeks.
Risk score, explained
The CVSS 3.1 score of 7.5 (High) reflects attack complexity of 'High' due to the need for specific user gestures, but full impact on confidentiality, integrity, and availability within the sandbox scope. The score appropriately captures the practical risk: an attacker cannot silently exploit this via drive-by attack, but does gain substantial control over user data and browser state if user interaction is achieved. The sandbox constraint (S:U) prevents full system takeover, preventing a Critical rating, but the ability to execute arbitrary code and access user credentials justifies the High classification.
Frequently asked questions
Can an attacker exploit this without user interaction?
No. The vulnerability requires specific UI gestures—typically tapping, swiping, or interacting with page elements. A user simply visiting a malicious link is insufficient; they must actively engage with the webpage. This makes broad, passive exploitation less feasible than true drive-by vulnerabilities, but phishing campaigns and watering-hole attacks remain effective delivery methods.
Does the Chrome sandbox prevent all damage?
The sandbox significantly limits damage by preventing direct access to the file system, contacts, and iOS system calls. However, code execution within the browser process can still steal cached credentials, session tokens, personal data, and sensitive information displayed in web applications. Users running enterprise applications in Chrome should consider this when assessing risk.
How quickly should we patch this?
Organizations should prioritize this patch within 48–72 hours for high-risk user populations (those accessing sensitive web applications or receiving phishing threats), and within 2 weeks for general deployment. The lack of KEV status and public exploits currently provides a limited window before tooling matures; do not delay indefinitely.
Does this affect Chrome on Android or desktop?
No. This is an iOS-specific vulnerability in memory initialization code paths. Chrome on Android, Windows, macOS, and Linux are not affected by CVE-2026-9963. If your organization supports multiple platforms, prioritize iOS patching while monitoring Chrome channels for related Android or desktop issues.
This analysis is for informational purposes and does not constitute legal or professional security advice. Organizations should verify patch availability and compatibility with their environment before deployment. CVSS scores, affected versions, and patch guidance are based on published vendor advisories and CVE records current as of the analysis date. Test patches in a staging environment before production rollout. Consult your security team and vendor documentation for environment-specific guidance. No exploit code or weaponization steps are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10960HIGHChrome Sandbox Escape via Uninitialized Codec Variable
- CVE-2026-9972HIGHChrome macOS Sandbox Escape in Gamepad Handler—Patch Priority & Risk
- CVE-2026-11033MEDIUMChrome macOS WebML Memory Disclosure Vulnerability
- CVE-2026-9935MEDIUMChrome ANGLE Uninitialized Memory Leak – Cross-Origin Data Disclosure
- CVE-2026-9942MEDIUMANGLE Site Isolation Bypass in Chrome – Remediation Guide
- CVE-2026-9944LOWChrome ANGLE Memory Leak Cross-Origin Data Disclosure
- CVE-2026-10973HIGHChrome Cross-Origin Data Leak via Uninitialized Memory
- CVE-2026-10976HIGHChrome Uninitialized Use Memory Disclosure Vulnerability (CVSS 7.4)