PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8583 Google CVE debrief

CVE-2026-8583 is a medium-severity information disclosure vulnerability in Google Chrome on Android, affecting versions prior to 148.0.7778.168. The flaw stems from insufficient policy enforcement in the WebXR API, which could allow a remote attacker who has already compromised the renderer process to extract potentially sensitive information from process memory via a crafted HTML page. The vulnerability was published on May 14, 2026, and last modified on May 19, 2026. Google has addressed this issue in the stable channel update released on May 12, 2026.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-19
Advisory published
2026-05-14
Advisory updated
2026-05-19

Who should care

Organizations with Android device fleets using Chrome for business operations, developers building WebXR applications, security teams monitoring browser-based attack chains, and mobile device management administrators responsible for browser update compliance.

Technical summary

The vulnerability exists in Chrome's WebXR implementation on Android, where insufficient policy enforcement allows a compromised renderer process to bypass intended access controls. WebXR (Web Extended Reality) provides VR/AR capabilities to web applications. The flaw requires prior renderer compromise as a prerequisite, indicating this is likely a chained vulnerability rather than a standalone exploit. Successful exploitation could expose process memory contents, potentially including sensitive data from other browsing contexts. The fix was released in Chrome 148.0.7778.168.

Defensive priority

medium

Recommended defensive actions

  • Update Google Chrome on Android to version 148.0.7778.168 or later
  • Monitor for unexpected WebXR permission requests from untrusted sites
  • Apply principle of least privilege for WebXR device access
  • Review application logs for renderer process anomalies on Android endpoints
  • Consider site isolation policies to limit renderer compromise impact

Evidence notes

Vulnerability confirmed through official Google Chrome release notes and Chromium issue tracker. CVSS 3.1 score of 5.3 (Medium) assigned by NVD. Affected versions confirmed via CPE criteria in NVD record.

Official resources

public