PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9917 Google CVE debrief

CVE-2026-9917 is a high-severity uninitialized use vulnerability in WebGL affecting Google Chrome on Android versions prior to 148.0.7778.216. The flaw allows a remote attacker to extract potentially sensitive information from process memory by tricking a user into visiting a crafted HTML page. The vulnerability stems from improper initialization of memory in the WebGL implementation (CWE-457), which can lead to information disclosure when uninitialized memory is read and potentially exposed to attacker-controlled JavaScript. The issue was addressed in the Chrome stable channel update released May 2026. Organizations should prioritize updating Android Chrome installations to version 148.0.7778.216 or later.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with Android device fleets, mobile security teams, BYOD administrators, and users who rely on Chrome for sensitive web browsing on Android devices

Technical summary

The vulnerability exists in the WebGL implementation of Google Chrome on Android, where uninitialized memory can be accessed and potentially leaked to remote attackers through malicious HTML content. The flaw is classified as CWE-457 (Use of Uninitialized Variable) and carries a Chromium security severity rating of High. Successful exploitation requires user interaction to visit a crafted web page, but no additional privileges are needed. The attack vector is network-based with low complexity. The fix was released in Chrome 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome on Android devices to version 148.0.7778.216 or later
  • Verify Chrome auto-update is enabled on managed Android devices
  • Monitor for unexpected Chrome versions in mobile device management inventories
  • Consider implementing application control policies to block outdated Chrome versions on corporate Android devices
  • Review WebGL usage policies for untrusted web content on Android endpoints

Evidence notes

Vulnerability description and affected product/version information sourced from NVD record. Chrome release notes and Chromium issue tracker confirm fix availability. CWE-457 (Use of Uninitialized Variable) classification provided by Chrome security team.

Official resources

2026-05-28