PatchSiren cyber security CVE debrief
CVE-2026-9121 Google CVE debrief
CVE-2026-9121 describes an out-of-bounds read in Chrome's GPU component that could be triggered remotely through a crafted HTML page. The issue affects Chrome versions prior to 148.0.7778.179 and is described as potentially leading to heap corruption. NVD assigns a CVSS 3.1 base score of 8.8 (HIGH), while Chromium’s own severity label is Medium, so defenders should treat it as an important browser update rather than a routine maintenance item.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Security and IT teams managing Google Chrome deployments, endpoint administrators, and users who rely on Chrome for daily browsing. Organizations that allow unpinned browser auto-update timing, or that expose Chrome to high-risk browsing workflows, should prioritize verification that systems are on 148.0.7778.179 or later.
Technical summary
The published NVD record attributes CVE-2026-9121 to a GPU out-of-bounds read in Google Chrome, with a crafted HTML page as the remote trigger. The record references Chromium issue 488064108 and the Google Chrome stable channel update for desktop, and lists CWE-125. The vulnerability is described as allowing a remote attacker to potentially exploit heap corruption. The affected version boundary in the description is prior to 148.0.7778.179.
Defensive priority
High. This is a remotely triggerable browser issue with potential heap-corruption impact in a widely deployed client application. Even though Chromium labels it Medium, the NVD CVSS score is 8.8 and the attack path requires only a crafted web page and user interaction through browsing.
Recommended defensive actions
- Update Google Chrome to version 148.0.7778.179 or later on all managed endpoints.
- Verify browser auto-update is working and that restart prompts are not being deferred indefinitely.
- Prioritize patching devices used for high-risk web activity, shared workstations, and privileged users.
- Monitor vendor advisory channels and Chromium issue references for any follow-up details or mitigations.
- If patching is delayed, reduce exposure by limiting untrusted browsing on unpatched systems.
Evidence notes
Primary evidence comes from the NVD CVE record and its referenced Google Chrome sources. The NVD record states the issue is an out-of-bounds read in GPU in Google Chrome prior to 148.0.7778.179, triggered by a crafted HTML page, with potential heap corruption. It also lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-125. The record references the Google Chrome stable channel update for desktop and Chromium issue 488064108.
Official resources
-
CVE-2026-9121 CVE record
CVE.org
-
CVE-2026-9121 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
Publicly disclosed in the CVE/NVD record on 2026-05-20, with vendor references pointing to the Google Chrome stable channel update and the related Chromium issue tracker entry.