PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9875 Google CVE debrief

An out-of-bounds read vulnerability in WebGL on Google Chrome for Android prior to version 148.0.7778.216 enables remote attackers to potentially escape the browser sandbox via a crafted HTML page. The Chromium security team has assigned this a Critical severity rating. The vulnerability stems from improper bounds checking in WebGL component code (CWE-125), which could allow memory corruption leading to sandbox escape. This affects only Android deployments of Chrome; desktop versions are not impacted per the advisory scope. The fix was released in the stable channel update dated May 2026. Organizations should prioritize updating Android Chrome installations to version 148.0.7778.216 or later. Given the Critical severity and sandbox escape potential, this vulnerability poses significant risk for targeted attacks against mobile users. No known exploitation in ransomware campaigns has been reported.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with Android device fleets, mobile security teams, enterprise mobility administrators, and users relying on Chrome for sensitive browsing on Android devices

Technical summary

Out-of-bounds read (CWE-125) in WebGL implementation on Google Chrome for Android versions prior to 148.0.7778.216. Remote attack vector via crafted HTML page. Successful exploitation may result in browser sandbox escape. Fixed in Chrome 148.0.7778.216 stable channel release.

Defensive priority

critical

Recommended defensive actions

  • Update Google Chrome on Android devices to version 148.0.7778.216 or later through Google Play Store
  • Verify Chrome version on managed Android devices via enterprise mobility management (EMM) console
  • Block or restrict untrusted web content on unpatched Android Chrome installations until update can be applied
  • Monitor for anomalous browser process behavior or unexpected sandbox escape indicators on Android endpoints
  • Review application inventory to identify non-Play Store Chrome installations requiring manual update

Evidence notes

Vulnerability description and affected version range sourced from NVD record. Chromium security severity rating and WebGL component attribution from official Chrome release notes. CWE-125 classification from NVD weaknesses field. Fix version 148.0.7778.216 confirmed via Chrome stable channel advisory. Android-only scope derived from vulnerability description explicit platform restriction.

Official resources

2026-05-28