CVE-2026-9956 Google CVE debrief

Who should care

Organizations with mobile workforces using iOS devices, security teams managing BYOD policies, and users relying on Chrome for sensitive browsing activities on iPhone or iPad.

Technical summary

CVE-2026-9956 is a use-after-free condition in Google Chrome's iOS implementation. A remote attacker can exploit this memory safety flaw by convincing a victim to load a malicious HTML page and perform specific UI gestures, resulting in arbitrary code execution within the browser process. The vulnerability is patched in Chrome for iOS version 148.0.7778.216. The attack requires network access, high attack complexity, and user interaction, with no privileges required. Successful exploitation can compromise confidentiality, integrity, and availability of the browser and potentially device data accessible to it.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on iOS to version 148.0.7778.216 or later as soon as possible.
• Apply mobile device management (MDM) policies to enforce automatic browser updates on managed iOS devices.
• Educate users to avoid interacting with unexpected or untrusted web content, particularly when prompted for unusual UI gestures.
• Monitor for anomalous browser behavior or crashes on iOS devices as potential indicators of exploitation attempts.
• Review and restrict browser access to sensitive enterprise resources until patching is confirmed, where risk tolerance permits.

Evidence notes

The NVD record lists CWE-416 (Use After Free) as the weakness type. CPE data indicates Google Chrome for iOS versions prior to 148.0.7778.216 are vulnerable. Apple iPhone OS is listed as a non-vulnerable platform in CPE, reflecting that the affected product is the Chrome browser application rather than the underlying operating system. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) yields a base score of 7.5, consistent with High severity.

Official resources