CVE-2026-9116 Google CVE debrief

Who should care

Chrome/Chromium browser administrators, enterprise endpoint teams, and users running versions earlier than 148.0.7778.179—especially where browser-based access to sensitive internal or cross-origin web content matters.

Technical summary

The vulnerability is described as an insufficient policy enforcement issue in ServiceWorker. The attacker model in NVD is network-based with low attack complexity and no privileges, but it requires user interaction (CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The impact is confidentiality-only: a crafted HTML page could leak cross-origin data. The NVD record also associates the issue with CWE-693 (Protection Mechanism Failure).

Defensive priority

High

Recommended defensive actions

• Update Google Chrome to 148.0.7778.179 or later on all affected systems.
• Verify the browser version across managed endpoints and enforce update compliance.
• Restart browsers after updating so the fixed code is actually loaded.
• Prioritize systems that routinely access sensitive internal applications or multiple web origins in the same browser profile.

Evidence notes

The CVE description explicitly states the affected product, the fixed version boundary, the ServiceWorker policy enforcement weakness, the crafted HTML trigger, and the cross-origin data leak outcome. The NVD record provides the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N), severity score 4.3, and CWE-693. The supplied references point to the Chrome Stable Channel update page and a Chromium issue tracker entry, but the bulletin text itself was not included in the corpus.

Official resources