MEDIUM 6.5

CVE-2026-9996: Out-of-bounds Read in Chrome WebRTC on macOS – Patch Guidance

A flaw in Google Chrome's WebRTC component allows a remote attacker to trick a user into visiting a malicious webpage that reads sensitive data from the browser's memory. The vulnerability affects Mac users running Chrome versions before 148.0.7778.216. No user action beyond visiting a crafted page is required for the attacker to attempt exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9996 is an out-of-bounds read vulnerability in the WebRTC implementation within Google Chrome on macOS. The flaw permits an attacker to craft a malicious HTML page that, when visited by a user, triggers an out-of-bounds memory read. This allows the attacker to exfiltrate sensitive data residing in the Chrome process memory, potentially including cryptographic keys, authentication tokens, or other confidential information. The vulnerability is categorized under CWE-125 (Out-of-bounds Read), which describes improper bounds checking that permits access to memory locations outside the intended buffer.

Business impact

Organizations with macOS deployments using Chrome may face data exposure risk if employees or contractors visit attacker-controlled or compromised websites. Sensitive business information, credentials, or intellectual property stored in process memory could be leaked. Financial, healthcare, and government sectors are particularly vulnerable if their users rely on Chrome as a primary browser. The attack surface is broad since it requires only a user to visit a webpage—no plugin installation, download, or explicit user consent is needed.

Affected systems

The vulnerability affects Google Chrome on macOS systems running versions prior to 148.0.7778.216. Windows, Linux, and mobile variants of Chrome are not mentioned in the advisory, suggesting this flaw is Mac-specific. However, any organization should verify their full Chrome deployment footprint across platforms and prioritize patching Mac instances immediately.

Exploitability

Exploitability is rated as moderate to moderately-high (CVSS score 6.5). The attack vector is network-based, requires no authentication or special privileges, and relies solely on user interaction—specifically visiting a crafted webpage. The barrier to entry is low: an attacker can host the malicious content on any web server or embed it in a compromised or phishing-lured domain. No active browser exploitation framework or zero-day kit is required, making this accessible to a broad range of threat actors.

Remediation

Immediately update Google Chrome to version 148.0.7778.216 or later on all macOS systems. Chrome typically auto-updates, but users should verify their installed version through Settings > About Chrome. Organizations should enforce automatic updates via mobile device management (MDM) or configuration policies if deployed in enterprise environments. For high-risk users or environments, consider temporarily disabling WebRTC features or restricting access to untrusted web content until patching is complete.

Patch guidance

Navigate to Settings > About Chrome to trigger an automatic check and download. Chrome will restart to apply the patch. Verify the update by checking the version number; it should display 148.0.7778.216 or higher. Enterprise administrators deploying Chrome via policy should update their deployment configurations to mandate version 148.0.7778.216 or later and verify rollout across all macOS endpoints within 48–72 hours. Test patch compatibility in a staging environment if custom Chrome configurations or extensions are in use.

Detection guidance

Monitor Chrome crash logs and browser console errors for WebRTC-related issues following patch deployment. Inspect network traffic from Chrome processes for unusual memory exfiltration patterns if vulnerability exploitation is suspected. Endpoint detection and response (EDR) tools should monitor for suspicious Chrome child processes or memory access anomalies. Check user browsing history for visits to suspicious domains or phishing URLs in the days before a suspected exploit. Correlate Chrome version inventory with patch status across macOS endpoints using MDM or asset management tools.

Why prioritize this

Although the CVSS score is 6.5 (Medium), the practical risk warrants urgent prioritization. The attack vector requires only a malicious webpage visit, making it deployable at scale through phishing, watering-hole attacks, or compromised ad networks. The impact is confidentiality loss with potential for exfiltration of high-value secrets. The combination of ease of exploitation and broad user exposure on macOS justifies treating this as a priority patch despite the moderate CVSS score.

Risk score, explained

The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects: Network Attack Vector (AV:N)—remote exploitation via web; Low Attack Complexity (AC:L)—no special conditions needed; No Privileges Required (PR:N)—attacker has no prior access; User Interaction Required (UI:R)—victim must visit the page; Unchanged Scope (S:U)—impact limited to Chrome process; High Confidentiality Impact (C:H)—sensitive data can be read; No Integrity or Availability Impact (I:N/A:N)—data is not modified or service disrupted. The score reflects moderate overall severity, but the real-world attack surface and ease of weaponization elevate operational risk beyond the numerical rating.

Frequently asked questions

Does this vulnerability affect Chrome on Windows, Linux, or mobile?

The advisory specifies macOS as the affected platform. However, always verify against the official Google Chrome security bulletin and test across your full deployment stack, as vulnerability scope can occasionally expand or vary by release channel.

Can this be exploited without the user clicking anything?

The vulnerability requires User Interaction (UI:R in the CVSS vector), meaning the user must visit the malicious webpage. However, no further action—such as clicking a button or downloading a file—is required; simply loading the page triggers the memory read.

Will updating Chrome automatically protect me?

Chrome ships with auto-update enabled by default. Once version 148.0.7778.216 is available, it will be downloaded and applied on next browser restart. However, if auto-update is disabled in your environment, manual patching is required. Enterprise deployments should verify update policies are enforced.

What kind of sensitive data could be stolen?

An attacker could potentially extract cryptographic keys, session tokens, cached passwords, or any other data resident in the Chrome process memory. The exact exposure depends on what was in memory at the time of exploitation and what the attacker can extract and decode.

This analysis is based on the CVE record published as of June 2026 and vendor advisories available at that time. Security vulnerabilities are dynamic; patch availability, exploit prevalence, and remediation guidance may evolve. Always verify patch version numbers and deployment steps against the official Google Chrome security release notes and your organization's security advisories before applying updates. SEC.co makes no warranty regarding the completeness or accuracy of this advisory and recommends consulting with your security team and vendor documentation for organization-specific guidance. This content is for informational purposes only and should not substitute for a comprehensive vulnerability management program. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).