CVE-2026-10008 Google CVE debrief

Who should care

Organizations with Android device fleets, mobile security teams, BYOD policy administrators, and users relying on Chrome for sensitive web applications on Android devices

Technical summary

The vulnerability exists in the GPU component of Google Chrome on Android, where uninitialized memory can be accessed by a remote attacker through a malicious HTML page. This information disclosure weakness (CWE-457) enables extraction of sensitive data from process memory without requiring local access. The attack vector is network-based with low complexity, requiring user interaction to visit a crafted page. The fix was released in Chrome stable channel version 148.0.7778.216 on May 28, 2026.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Android devices to version 148.0.7778.216 or later
• Monitor for stable channel security updates from Google Chrome releases
• Review application logs for unusual GPU process memory access patterns on Android endpoints
• Consider implementing site isolation policies to limit impact of renderer compromise
• Assess mobile device management policies to ensure timely browser update deployment

Evidence notes

Vulnerability confirmed through official Chrome release notes and Chromium issue tracker. CWE-457 classification provided by [email protected]. Affected product and version range explicitly stated in CVE description.

Official resources