PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9972 Google CVE debrief

A high-severity vulnerability in Google Chrome on macOS, published 2026-05-28, involves uninitialized use in the Gamepad component. The flaw could allow a remote attacker who has already compromised the renderer process to potentially escape the Chrome sandbox via a crafted HTML page. The issue was fixed in Chrome version 148.0.7778.216. The vulnerability is classified under CWE-457 (Use of Uninitialized Variable) and carries a CVSS 3.1 score of 8.3 (High). The attack vector requires network access, high attack complexity, no privileges, and user interaction, with a changed scope and high impacts to confidentiality, integrity, and availability. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Google
Product
Chrome
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with macOS endpoints running Google Chrome, particularly those in high-threat environments where browser exploitation and sandbox escape could lead to full system compromise. Security teams responsible for browser hardening, endpoint protection, and patch management should prioritize this update.

Technical summary

The vulnerability exists in the Gamepad implementation within Google Chrome on macOS. An uninitialized variable can be leveraged by an attacker who has already achieved renderer process compromise to escape the Chrome sandbox. The attack requires a victim to interact with a malicious HTML page. The fix was released in Chrome 148.0.7778.216. The CVSS 3.1 score of 8.3 reflects high impacts across confidentiality, integrity, and availability despite requiring user interaction and high attack complexity.

Defensive priority

HIGH

Recommended defensive actions

  • Update Google Chrome on macOS to version 148.0.7778.216 or later as soon as possible.
  • Prioritize patching endpoints where users browse untrusted or attacker-controlled web content, as the vulnerability requires user interaction with a crafted HTML page.
  • Consider enabling or reinforcing site isolation and renderer sandbox policies as defense-in-depth measures, though this vulnerability specifically permits sandbox escape from a compromised renderer.
  • Monitor for unusual child process behavior or unexpected Gamepad API access patterns as potential indicators of exploitation attempts.
  • Review Chrome release notes for additional security fixes bundled with version 148.0.7778.216 to ensure comprehensive coverage.

Evidence notes

CVE description states 'Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216.' CVSS vector from NVD source metadata: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. Weakness CWE-457 from source metadata. Chrome release note and Chromium issue tracker referenced in official NVD record. Vendor attribution derived from reference domain candidate 'Googleblog' with low confidence; product is Google Chrome on macOS.

Official resources

2026-05-28