PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9921 Google CVE debrief

CVE-2026-9921 is a high-severity uninitialized use vulnerability in WebGL affecting Google Chrome on Android versions prior to 148.0.7778.216. The flaw allows a remote attacker to leak cross-origin information through a crafted HTML page. The vulnerability stems from improper initialization of memory in the WebGL implementation (CWE-457), which can be exploited to read uninitialized data that may contain sensitive information from other origins. The issue was addressed in the Chrome stable channel update released May 2026. Organizations should prioritize updating Android Chrome installations to version 148.0.7778.216 or later to mitigate cross-origin data leakage risks.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with Android device fleets, mobile application security teams, browser security researchers, and enterprises relying on Chrome for Android for business operations should prioritize this update due to the cross-origin data leakage risk.

Technical summary

The vulnerability exists in the WebGL implementation of Google Chrome on Android, where uninitialized memory can be accessed and potentially leaked to attackers. By crafting a malicious HTML page, a remote attacker can exploit this flaw to read uninitialized data that may contain cross-origin information, bypassing same-origin policy protections. The issue is classified under CWE-457 (Use of Uninitialized Variable) and was resolved in Chrome 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome on Android devices to version 148.0.7778.216 or later
  • Monitor for unexpected cross-origin data access attempts in WebGL contexts
  • Review application logs for anomalous WebGL activity from untrusted sources
  • Apply security updates through Google Play Store or enterprise mobile device management systems

Evidence notes

Vulnerability description and affected version confirmed via NVD record and Chrome release notes. CWE-457 (Use of Uninitialized Variable) classification provided by Chrome security team. Chromium security severity rated as High.

Official resources

2026-05-28