PatchSiren cyber security CVE debrief
CVE-2026-9872 Google CVE debrief
A critical out-of-bounds write vulnerability in the GPU component of Google Chrome on Android, disclosed 2026-05-28, enables remote sandbox escape via crafted HTML. The flaw (CWE-787) affects Chrome versions prior to 148.0.7778.216. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Product
- Chrome
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations with Android device fleets, mobile security teams, BYOD programs, and users relying on Chrome for sensitive browsing activities
Technical summary
CVE-2026-9872 is an out-of-bounds write (CWE-787) in the GPU processing component of Google Chrome on Android. The vulnerability allows a remote attacker to escape the browser sandbox by delivering a maliciously crafted HTML page. Successful exploitation could lead to code execution outside the restricted sandbox environment. The issue was resolved in Chrome 148.0.7778.216. The vulnerability carries Chromium's highest severity rating (Critical) due to the sandbox escape potential.
Defensive priority
critical
Recommended defensive actions
- Update Google Chrome on Android devices to version 148.0.7778.216 or later
- Prioritize patching for devices handling untrusted web content or in high-risk environments
- Monitor for future CVSS scoring and CISA KEV listing
- Review application sandbox configurations as defense-in-depth
- Consider network-level filtering of untrusted HTML content until patching is complete
Evidence notes
Official Chrome release notes and Chromium issue tracker confirm the vulnerability class, affected platform (Android), and patched version. CVSS score not yet assigned in source data.
Official resources
2026-05-28