CVE-2026-9113 Google CVE debrief

Who should care

Security teams, Mac endpoint administrators, managed browser operators, and users who run Google Chrome on macOS—especially environments that rely on rapid browser patching and allow access to untrusted web content.

Technical summary

The flaw is an out-of-bounds memory read in Chrome’s GPU path on macOS. A crafted HTML page can cause the browser to read memory outside the intended bounds, which can expose limited information but does not indicate integrity or availability impact in the supplied CVSS vector. The issue is identified as CWE-125 and fixed in Chrome 148.0.7778.179.

Defensive priority

High for Google Chrome on macOS fleets. Prioritize deployment of 148.0.7778.179 or later as soon as practical, since the issue is remotely triggerable through browser content and Google’s Chromium severity is listed as High.

Recommended defensive actions

• Update Google Chrome on macOS to version 148.0.7778.179 or later.
• Verify that auto-update or managed browser update policies are working and that the fixed build is actually installed.
• Prioritize Mac endpoints that regularly browse untrusted or externally supplied web content.
• Track the linked Chrome release note and Chromium issue for any follow-up guidance or related fixes.

Evidence notes

The supplied NVD record states vulnStatus "Received" and includes references to a Google Chrome Stable Channel update and a Chromium issue tracker entry. The CVE description specifies Google Chrome on Mac prior to 148.0.7778.179 and a crafted HTML page as the trigger. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, and the listed weakness is CWE-125.

Official resources