CVE-2026-9977 Google CVE debrief

Who should care

Organizations with Android device fleets using Google Chrome, mobile security teams, browser security researchers, and enterprises relying on Chrome for Android in BYOD or managed device environments.

Technical summary

The vulnerability exists in the WebShare implementation in Google Chrome on Android versions prior to 148.0.7778.216. Insufficient validation of untrusted input allows an attacker who has already achieved renderer process compromise to potentially escape the browser sandbox. The attack vector requires user interaction (UI:R) and high attack complexity (AC:H), but network exploitable (AV:N) with changed scope (S:C) leading to high impact on confidentiality, integrity, and availability. The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H scoring 8.3. This is classified under CWE-20 (Improper Input Validation).

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on Android to version 148.0.7778.216 or later as soon as possible
• Monitor for Chrome Stable Channel security updates from Google
• Apply mobile device management policies to enforce minimum Chrome version requirements
• Review and restrict untrusted web content rendering where feasible on managed Android devices
• Monitor for anomalous renderer process behavior that could indicate compromise attempts

Evidence notes

CVE published 2026-05-28; modified 2026-05-29. Chrome Stable Channel update released addressing this issue. Chromium bug tracker issue 511741173. CVSS 3.1 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Official resources