CVE-2026-9971 Google CVE debrief

Who should care

Organizations with iOS device fleets using Google Chrome, mobile security teams, enterprise mobility administrators, and security awareness training programs focused on phishing and social engineering defenses.

Technical summary

CVE-2026-9971 is an inappropriate implementation vulnerability in the iOS version of Google Chrome that enables Universal Cross-Site Scripting (UXSS). Unlike standard XSS that exploits a specific vulnerable website, UXSS can inject malicious scripts into arbitrary domains, bypassing same-origin protections. The attack requires remote delivery of a crafted HTML page combined with social engineering to induce specific user UI gestures. The fix was released in Chrome for iOS stable version 148.0.7778.216. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

medium

Recommended defensive actions

• Update Google Chrome on iOS to version 148.0.7778.216 or later as soon as available through the App Store.
• Advise users to exercise caution with unexpected web pages that prompt for unusual UI gestures or interactions.
• Monitor for iOS Chrome updates via enterprise mobile device management policies to ensure rapid deployment.
• Review web content filtering and phishing defenses to reduce likelihood of users encountering crafted HTML pages designed to exploit this vulnerability.
• Track NVD analysis status for potential CVSS or severity revisions as evaluation completes.

Evidence notes

CVE description confirms UXSS via crafted HTML page requiring user UI gestures. CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N supports medium severity. Chromium issue tracker reference provides technical provenance. Chrome Releases blog reference provides patch confirmation for stable channel.

Official resources