CVE-2026-9943 Google CVE debrief

Who should care

Organizations with mobile workforces relying on Android devices, developers of web applications using WebGL, and security teams managing browser update cadences should prioritize patching.

Technical summary

CVE-2026-9943 is an out-of-bounds read (CWE-125) in the WebGL implementation of Google Chrome on Android. A remote attacker can exploit this flaw using a crafted HTML page to read memory outside intended bounds, resulting in leakage of cross-origin data. The vulnerability is remotely exploitable with user interaction (UI:R) and has a CVSS 3.1 score of 4.3 (Medium). Google assigned a High severity rating within the Chromium project. The fix is included in Chrome stable version 148.0.7778.216 for Android.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on Android to version 148.0.7778.216 or later.
• Restrict or block untrusted HTML content and third-party iframe embedding where feasible.
• Monitor for anomalous cross-origin data access patterns in WebGL contexts.
• Review application Content Security Policy (CSP) and cross-origin resource sharing (CORS) configurations to limit data exposure.

Evidence notes

The CVE description states the vulnerability is an out-of-bounds read (CWE-125) in WebGL affecting Google Chrome on Android prior to version 148.0.7778.216, with Chromium security severity rated High. The CVSS v3.1 score is 4.3 (Medium). The NVD entry lists the vulnerability status as 'Undergoing Analysis' as of the source modified date of 2026-05-29. Vendor attribution is supported by Chrome release blog and Chromium issue tracker references.

Official resources