CVE-2026-9929 Google CVE debrief

Who should care

Organizations with Android device fleets, mobile application developers using WebGL, security teams managing browser security policies, and users handling sensitive cross-origin data in web applications.

Technical summary

This vulnerability exists in the WebGL implementation of Google Chrome on Android versions prior to 148.0.7778.216. The inappropriate implementation allows a remote attacker to bypass same-origin policy protections and extract cross-origin data by manipulating WebGL operations through a maliciously crafted HTML page. WebGL (Web Graphics Library) provides JavaScript APIs for rendering interactive 2D and 3D graphics, and improper isolation between origins in its implementation can enable information disclosure attacks. The attack vector requires user interaction with the crafted page, but no local access or elevated privileges are needed.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Android devices to version 148.0.7778.216 or later
• Verify Chrome version through Settings > About Chrome
• Enable automatic updates for Chrome on managed Android devices
• Review browser security settings and same-origin policy configurations
• Monitor for unusual cross-origin data access attempts in application logs

Evidence notes

The CVE description identifies this as an inappropriate implementation in WebGL affecting Chrome on Android, with a High severity rating per Chromium security classification. The vulnerability was published to NVD on May 28, 2026, and modified on May 29, 2026. Google released the stable channel update addressing this issue on May 28, 2026.

Official resources