CVE-2026-9963 Google CVE debrief

Who should care

Organizations with iOS device fleets using Google Chrome, mobile security teams, incident responders tracking browser-based threats, and end users who browse untrusted web content on iOS devices.

Technical summary

The vulnerability stems from use of an uninitialized variable in Chrome's iOS-specific code paths. A remote attacker can craft an HTML page that manipulates the user into performing specific UI gestures, triggering the uninitialized use and leading to arbitrary code execution within the Chrome sandbox. The attack complexity is high due to the required user interaction, but no privileges are needed and the impacts to confidentiality, integrity, and availability are all rated high. The fix is contained in Chrome for iOS version 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on iOS to version 148.0.7778.216 or later as soon as possible.
• Restrict or block untrusted HTML content and web pages until patching is complete.
• Monitor for suspicious browser behavior or unexpected UI prompts that may indicate exploitation attempts.
• Review mobile device management policies to enforce automatic browser updates on managed iOS devices.
• If users report unexpected gesture prompts while browsing, treat as potential indicator of compromise and investigate.

Evidence notes

CVE description and NVD metadata confirm uninitialized use in Chrome on iOS. CPE data shows Google Chrome versions before 148.0.7778.216 as vulnerable, with Apple iPhone OS marked not vulnerable. Chromium issue tracker reference requires permissions. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H yields base score 7.5. CWE-457 assigned by [email protected].

Official resources