CVE-2026-9959 Google CVE debrief

Who should care

Organizations with Windows endpoints running Google Chrome, particularly those relying on WebRTC-based communications or handling sensitive cross-origin data in browser sessions.

Technical summary

The vulnerability stems from a race condition (CWE-362) in the WebRTC implementation of Google Chrome running on Windows. A remote attacker could exploit this by convincing a user to load a malicious HTML page, resulting in leakage of cross-origin data. The issue was resolved in Chrome 148.0.7778.216. The attack requires network access, high attack complexity, no privileges, and user interaction, with a low impact to confidentiality and no impact to integrity or availability per the CVSS vector.

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on Windows to version 148.0.7778.216 or later.
• If immediate patching is not feasible, consider restricting or disabling WebRTC through enterprise policies or browser settings where business needs permit, understanding this may impact legitimate video conferencing and
• real-time communication applications.
• Apply standard web security controls such as content security policies and careful origin isolation to reduce exposure to cross-origin data leak vectors.

Evidence notes

The vulnerability description and affected product scope are drawn from the official NVD record and Chrome release notes. The CPE configuration indicates Chrome versions prior to 148.0.7778.216 on Windows are affected. The Chromium issue tracker reference is marked as requiring permissions to view full details.

Official resources