PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9950 Google CVE debrief

A same-origin policy bypass in Google Chrome on iOS, rated High severity by Chromium but scored LOW (3.1) under CVSS 3.1. The vulnerability stems from insufficient validation of untrusted input in iOS-specific code paths. A remote attacker who has already compromised the renderer process can leverage a crafted HTML page to bypass same-origin protections. The attack requires user interaction (UI:R) and high attack complexity (AC:H), with no availability or integrity impact—only low confidentiality impact. The narrow scope (S:U) and prerequisite renderer compromise significantly constrain practical exploitability. Chrome on iOS versions prior to 148.0.7778.216 are affected; desktop Chrome is not in scope. The CVE was published 2026-05-28 and modified 2026-05-29; it remains Undergoing Analysis in NVD with no KEV listing.

Vendor
Google
Product
Chrome
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with iOS-managed devices running Chrome; security teams tracking browser-specific SOP bypasses; defenders modeling renderer compromise as part of advanced threat scenarios.

Technical summary

The vulnerability exists in iOS-specific input validation within Google Chrome on iOS. An attacker with renderer process compromise can supply crafted HTML that bypasses same-origin policy checks. The flaw is patched in Chrome iOS 148.0.7778.216. The underlying weakness is categorized as CWE-20 (Improper Input Validation).

Defensive priority

moderate

Recommended defensive actions

  • Update Google Chrome on iOS to version 148.0.7778.216 or later.
  • Monitor for iOS-specific Chrome updates via the App Store, as iOS Chrome uses the WebKit rendering engine and follows a separate release cadence from desktop Chrome.
  • Apply general renderer-hardening practices: site isolation, strict CSP, and reduced attack surface for renderer compromise vectors.
  • Review same-origin policy enforcement in web applications, treating renderer compromise as a plausible threat model for sensitive data exposure on iOS Chrome.

Evidence notes

Chromium security severity (High) diverges from NVD CVSS 3.1 score (3.1 LOW). The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N reflects the renderer-compromise prerequisite and limited impact. CWE-20 (Improper Input Validation) is cited as secondary by the Chrome CVE admin. No CPE criteria were available in the source record at time of analysis. Vendor attribution to Google is inferred from reference_domain_candidate 'Googleblog' and [email protected] source tags; confidence is low per canonicalSource marking.

Official resources

2026-05-28T23:16:53.150Z