CVE-2026-9122 Google CVE debrief

Who should care

Security teams managing Chrome on macOS, endpoint administrators, SOC analysts monitoring browser risk, and users who regularly browse untrusted web content should prioritize this issue.

Technical summary

Official sources describe an out-of-bounds read in Chrome's GPU path on Mac prior to 148.0.7778.179. The attack requires a crafted HTML page and user interaction, and the expected impact is confidentiality loss through exposure of process memory. NVD maps the weakness to CWE-125 and gives the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network reachability, no privileges, and high confidentiality impact.

Defensive priority

Medium. Prioritize prompt patching for managed Mac fleets and any environment where users routinely visit untrusted websites, since the primary risk is memory disclosure rather than code execution or service disruption.

Recommended defensive actions

• Update Google Chrome on Mac to 148.0.7778.179 or later as soon as practical.
• Verify fleet compliance by checking installed Chrome versions on macOS endpoints.
• Treat untrusted HTML content as a trigger vector and consider heightened monitoring until patch deployment is complete.
• Use standard browser hardening and rapid update channels for desktop Chrome deployments.

Evidence notes

The debrief is based on the supplied official sources only: the NVD CVE record, the Chrome release note referenced by Google, and the Chromium issue reference. These sources consistently describe a GPU out-of-bounds read in Google Chrome on Mac, fixed in 148.0.7778.179, with potential memory disclosure via crafted HTML. NVD lists the vulnerability as received and assigns CVSS 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and CWE-125.

Official resources