LOW 3.1

CVE-2026-9991: Chrome Media Cross-Origin Data Leak on Windows

A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9991 stems from an inappropriate implementation in Chrome's Media subsystem affecting Windows deployments prior to version 148.0.7778.216. The vulnerability is rooted in CWE-200 (Exposure of Sensitive Information) and allows cross-origin data leakage when a compromised renderer process processes a specially crafted HTML page. The attack chain assumes the renderer sandbox has already been breached; the flaw then enables exfiltration of data that should remain isolated between security domains. Chromium assigned this a High security severity rating despite the LOW CVSS v3.1 score, reflecting the context-dependent nature of the threat (post-compromise data theft versus pre-compromise attack surface).

Business impact

The practical business risk is moderate and context-dependent. If an attacker has already compromised a user's Chrome renderer process through an unrelated vulnerability or watering hole, this flaw amplifies that compromise by enabling theft of sensitive cross-origin information—such as authentication tokens, personal data in web applications, or cached credentials. For most organizations, the immediate threat is low because exploitation requires a two-step attack. However, for high-value targets (finance, healthcare, government) where sophisticated attackers chain multiple exploits, this becomes part of a credible multi-stage attack chain. The lack of KEV designation suggests this is not yet actively exploited in the wild, providing a window for proactive patching.

Affected systems

Google Chrome on Microsoft Windows versions prior to 148.0.7778.216 are affected. The vulnerability does not impact Chrome on macOS, Linux, or Android based on the vendor disclosure specificity. Organizations running Chrome on Windows—whether as the primary browser or sandboxed for untrusted content—should prioritize inventory and patching. This includes enterprise deployments, BYOD environments, and publicly-facing kiosks.

Exploitability

Exploitability is constrained by a high bar: the attacker must first compromise the Chrome renderer process (itself a separate, often-patched attack surface). Once that precondition is met, exploitation requires crafting a malicious HTML page and convincing the user to load it in the compromised browser. The user interaction requirement and the need for prior renderer compromise place this in the LOW CVSS severity bracket. However, the Chromium High rating acknowledges that in scenarios where renderer exploits are chained together, this becomes a convenient next-stage payload to steal user data. No public exploit code is known at this time, and the vulnerability is not tracked in the CISA KEV catalog.

Remediation

Update Google Chrome on Windows to version 148.0.7778.216 or later. The update is available through Chrome's built-in auto-update mechanism (typically completing within 24–48 hours of release). For organizations with enforced update policies, expedite the Chrome update through your MDM or software deployment system. Concurrent remediation of any renderer-process exploits in your environment will further reduce risk. Verify patch installation by navigating to chrome://version in an updated browser.

Patch guidance

1. Enable automatic updates for Chrome (default in most deployments) to receive version 148.0.7778.216 or later. 2. If auto-update is disabled, manually check Help > About Google Chrome and select 'Update Google Chrome'. 3. For enterprise deployments, consult your MDM vendor (Intune, Jamf, etc.) for policies to deploy the patched Chrome version across managed endpoints. 4. Verify successful patching by confirming the version number in chrome://version matches 148.0.7778.216 or a newer release. 5. No configuration changes or feature flags are required; the patch is a direct engine update.

Detection guidance

Detection of active exploitation is challenging because the attack is post-compromise data theft without obvious system-level artifacts. Monitor for: 1. Unusual outbound data exfiltration from Chrome processes to external domains following known renderer exploits. 2. Browser process crashes or anomalies correlating with suspicious HTML page loads. 3. Review browser history and cache for unexpected cross-origin data access patterns if investigating a suspected compromise. 4. Deploy endpoint detection and response (EDR) tools to correlate renderer-process vulnerabilities with subsequent data leakage behavior. 5. Track Chrome version numbers in your fleet using inventory management tools to ensure rapid identification of unpatched systems.

Why prioritize this

Prioritize this patch for Windows Chrome deployments within your monthly cycle, but it is not an emergency. The LOW CVSS score and absence from the KEV catalog indicate limited immediate threat. However, the High Chromium severity and the realistic post-compromise data-theft scenario mean that organizations protecting high-value data or operating in advanced-threat environments should accelerate patching to 1–2 weeks. Combine this update with any pending renderer exploits or watering-hole mitigations in your threat model.

Risk score, explained

The CVSS v3.1 score of 3.1 (LOW) reflects the high attack complexity (AC:H), requirement for user interaction (UI:R), and limited impact (confidentiality only, no integrity or availability). However, Chromium's High severity rating accounts for the fact that this flaw is most dangerous in a targeted, multi-stage attack where a sophisticated adversary chains a renderer exploit with this data-leakage flaw. The disconnect between CVSS and Chromium severity is not unusual: CVSS prioritizes standalone, un-preceded vulnerability severity, while vendor ratings account for in-the-wild attack patterns and chaining potential. For prioritization, use both signals: treat as a standard monthly patch (CVSS) but accelerate if you are tracking active renderer exploits in your environment (Chromium High).

Frequently asked questions

Do I need to patch this immediately?

No, but do not defer indefinitely. The CVSS LOW score and lack of active exploitation (no KEV listing) mean this is not a critical emergency. Plan to deploy version 148.0.7778.216 or later within your standard monthly patch cycle. If your organization is under active targeted attack or tracks renderer-process compromises in your threat intelligence, accelerate to 1–2 weeks.

What happens if my Chrome version is older than 148.0.7778.216?

Your system is vulnerable to data theft if an attacker has also compromised your browser's renderer process. The renderer sandbox is a strong defense, but additional exploit chains could breach it. Patching closes one window in a multi-stage attack. Verify your Chrome version in chrome://version and update immediately if you are behind.

Is this vulnerability exploitable without first compromising the renderer?

No. The vulnerability requires the renderer process to already be under attacker control. It is a post-compromise amplification flaw, not a direct entry point. If your browser sandbox is intact, you are not at risk from this flaw alone. However, ongoing threats like watering-hole sites may attempt to chain renderer exploits with this flaw.

Does this affect Chrome on my Mac or Linux machine?

No, this vulnerability is specific to Windows. Chrome on macOS, Linux, and Android is not affected according to the vendor advisory. Windows users, however, should prioritize patching.

This analysis is based on the official CVE record and Chromium security advisory published as of the modification date (2026-06-17). Patch version numbers and affected product versions are sourced directly from vendor disclosures. No exploit code or weaponized proof-of-concept details are provided. Security teams should verify compatibility and test patches in non-production environments before enterprise deployment. This analysis does not substitute for vendor advisories or security assessments tailored to your organization's risk profile. Consult your MDM provider and Chrome Enterprise policies for deployment guidance in regulated environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).