CVE-2026-9955 Google CVE debrief

Who should care

Organizations with iOS device fleets running Google Chrome, mobile security teams, and users relying on Chrome on iOS for sensitive web browsing should prioritize this update due to the High severity rating and cross-origin data exposure risk.

Technical summary

The vulnerability stems from inappropriate implementation in iOS-specific code within Google Chrome, allowing a remote attacker to leak cross-origin data. The attack vector requires user interaction (UI:R) with a crafted HTML page. The confidentiality impact is low (C:L) with no integrity or availability impact. The scope is unchanged (S:U). The fix is contained in Chrome for iOS version 148.0.7778.216.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on iOS to version 148.0.7778.216 or later through the App Store.
• Apply the stable channel update promptly as this is rated High severity by Chromium security.
• Monitor for additional iOS-specific Chrome security updates given the 'inappropriate implementation in iOS' classification.
• Review web content filtering and same-origin policy enforcement for iOS-managed devices as a compensating control where immediate patching is not feasible.

Evidence notes

The CVE description explicitly states the vulnerability is in 'Inappropriate implementation in iOS' affecting 'Google Chrome on iOS prior to 148.0.7778.216'. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) yields a base score of 4.3 (MEDIUM). The Chromium issue 504184408 is cited as the authoritative technical reference. The weakness is identified as CWE-200 per NVD enrichment. Vendor attribution to Google is supported by the [email protected] source on references and the chromereleases.googleblog.com domain.

Official resources