CVE-2026-9971: Chrome iOS UXSS Vulnerability – Update to 148.0.7778.216
A vulnerability in Google Chrome on iOS allows attackers to inject malicious scripts or HTML code into web pages when a user performs specific interactions with the browser. An attacker would need to craft a deceptive webpage and convince a user to engage with it in particular ways—such as specific taps or gestures—to trigger the injection. Once successful, the attacker gains the ability to run arbitrary code in the context of the webpage, potentially stealing data or modifying what the user sees.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9971 is a cross-site scripting (XSS) vulnerability, specifically a Universal XSS (UXSS) variant, stemming from improper implementation of security controls in Chrome's iOS rendering engine. The vulnerability exists in versions prior to 148.0.7778.216. The attack vector involves crafted HTML that exploits platform-specific UI gesture handling, allowing script injection without traditional same-origin protections. The vulnerability is classified as High severity by Chromium's security team, though the calculated CVSS v3.1 score of 5.4 reflects a medium severity rating due to the requirement for user interaction and the limited scope of compromise (no confidentiality/integrity impact beyond the affected page, no availability impact).
Business impact
For organizations with iOS users accessing sensitive web applications through Chrome, this vulnerability creates a targeted phishing and credential theft risk. An attacker could craft a convincing replica of a legitimate site and, through social engineering, convince users to perform the necessary gestures to trigger the injection. This could lead to session hijacking, password capture, or theft of sensitive business data. The reliance on user interaction limits widespread automated exploitation, but the ease of crafting deceptive pages makes it a practical attack vector for targeted campaigns. Organizations should assess whether Chrome on iOS is used to access high-value applications or sensitive data portals.
Affected systems
The vulnerability affects Google Chrome on iOS versions prior to 148.0.7778.216. It also involves Apple iPhone OS, as the vulnerability exploits iOS-specific UI gesture handling mechanisms in Chrome's implementation. Any user running an outdated version of Chrome on an iPhone or iPad is potentially at risk. Organizations should inventory Chrome installations across their iOS device fleet to determine exposure.
Exploitability
While the vulnerability requires user interaction—specifically, performing certain UI gestures on a crafted HTML page—it does not require the attacker to have privileges or network position advantages beyond hosting a webpage. The attack is practical because social engineering can reliably prompt users to tap or interact with a malicious page. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting that widespread active exploitation has not yet been documented as of the data collection date, though this does not guarantee future exploitation will not occur.
Remediation
Update Google Chrome on iOS to version 148.0.7778.216 or later. iOS users should enable automatic app updates in the App Store settings to ensure Chrome patches are applied promptly. Organizations managing iOS devices via Mobile Device Management (MDM) solutions should push Chrome updates through their management platform and verify successful deployment across the fleet. Users should also be educated to avoid performing unusual gestures or interactions on unfamiliar websites, particularly those claiming to be from financial institutions or other high-security domains.
Patch guidance
Google has released Chrome version 148.0.7778.216 or later to address this vulnerability. Verify the exact patch version against Google's official Chrome release notes for iOS. For enterprise deployments, coordinate with your MDM provider to distribute the update and confirm rollout across all managed iOS devices. Test the patch in a limited group of devices before organization-wide deployment to ensure no compatibility issues with line-of-business applications accessed through Chrome. If your organization relies on a specific build of Chrome, check with Google's enterprise support for any applicable backports.
Detection guidance
Monitor Chrome version numbers across your iOS fleet using MDM reporting tools or Mobile Threat Defense (MTD) solutions. Set alerts for any devices running Chrome versions below 148.0.7778.216. If your organization employs web application firewalls or content inspection tools, look for logs of unusual script injection attempts or XSS patterns in HTTP traffic from iOS devices, though encrypted traffic may limit visibility. Browser telemetry or crash reports may also indicate exploitation attempts if scripts are unexpectedly injected. Consider deploying endpoint detection and response (EDR) solutions that support iOS to monitor for behavioral indicators of compromised sessions.
Why prioritize this
Prioritize patching based on the extent to which Chrome on iOS is used for accessing sensitive applications. If your organization primarily uses native apps or Safari for critical tasks, the risk is lower. However, if Chrome is commonly used for email, financial systems, or corporate portals, treat this as a priority patch. The medium CVSS score and requirement for user interaction mean this is not a critical emergency, but the practical exploitability through social engineering warrants prompt action within standard patching cycles. Organizations should patch within 30 days if Chrome on iOS accesses sensitive data, or within 60 days for lower-risk use cases.
Risk score, explained
The CVSS v3.1 score of 5.4 (Medium) reflects the balance between a relatively low attack complexity (the attacker simply needs to host a webpage and convince users to visit it) and constraints on impact. The score accounts for the requirement of user interaction (UI:R) and the limited scope of compromise (S:U)—the injected script affects only the user's view of the page and session, not the system as a whole. There is no availability impact and only modest confidentiality and integrity impact limited to data within the context of that webpage. Chromium's High severity rating prioritizes the nature of the vulnerability (UXSS is dangerous) and the browser's privileged role, whereas CVSS emphasizes the practical limitations on real-world impact.
Frequently asked questions
What is Universal XSS (UXSS) and why is it worse than typical XSS?
Universal XSS allows an attacker to inject scripts across multiple origins or bypass typical same-origin protections, making it significantly more dangerous than standard XSS. In a standard XSS, the injected script is confined to the vulnerable domain. With UXSS, an attacker could potentially inject malicious code that affects unrelated websites or steals data from multiple sources. This vulnerability on iOS appears to exploit platform-specific gesture handling, which is why it is classified as a High-severity UXSS.
Do I need to patch immediately, or can I delay this update?
No immediate emergency action is required since this vulnerability is not listed on CISA's KEV catalog and does not have a critical or exploitable-in-the-wild status. However, you should schedule patching within your normal patch management cycle (typically 30 days for medium-severity flaws). If your organization uses Chrome on iOS for sensitive tasks like email or financial services, accelerate the patch. If Chrome is rarely used for high-value activities, a 60-day window is acceptable.
My organization uses Safari on iOS exclusively—am I affected?
No. This vulnerability is specific to Google Chrome on iOS and does not affect Safari or other browsers. If your organization mandates Safari or other browsers for sensitive operations, your exposure to this particular vulnerability is zero. However, continue to patch Safari and other browsers as vulnerabilities are discovered in them.
Can this vulnerability be exploited without user interaction?
No. The vulnerability requires the user to perform specific UI gestures in response to a crafted HTML page. An attacker cannot silently exploit this by simply serving a malicious page; they must convince the user to interact with it in particular ways. This typically requires social engineering or a targeted phishing campaign, which limits the scope and scale of potential attacks compared to zero-interaction vulnerabilities.
This analysis is based on publicly available information and the vulnerability record as of June 2026. Patch version numbers and CVSS scores are taken directly from official CVE sources and should be verified against Google's official Chrome release notes and Apple's security advisories. Actual exploitability and impact may vary depending on your organization's specific configuration, user behavior, and the security controls already in place. This explainer is for informational purposes and does not constitute professional security advice. Consult with your security team and relevant vendor advisories before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10944MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Now
- CVE-2026-10950MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Guide
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure