PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9981 Google CVE debrief

A high-severity information disclosure vulnerability in Google Chrome's Skia graphics engine allows remote attackers to extract potentially sensitive information from process memory by tricking a user into loading a crafted HTML page. The flaw stems from an inappropriate implementation in Skia, Chrome's 2D graphics library, which mishandles certain rendering operations in a way that leaks memory contents. With a CVSS score of 6.5 (Medium severity, High per Chromium's internal rating), this vulnerability requires no privileges and only user interaction (visiting a malicious page) to exploit. The information disclosure could expose fragments of browser memory containing sensitive data from previous or concurrent browsing sessions. Google addressed this in Chrome stable channel version 148.0.7778.216, released in late May 2026. The vulnerability was reported through Chromium's issue tracker and disclosed via the Chrome Releases blog. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with large Chrome deployments, enterprises relying on web-based applications with sensitive data, security teams managing browser security baselines, and users handling confidential information through web browsers should prioritize this update. The memory disclosure risk is particularly relevant for shared workstations, kiosks, and environments where browser sessions may process financial, healthcare, or authentication data.

Technical summary

CVE-2026-9981 is an inappropriate implementation vulnerability in the Skia graphics engine used by Google Chrome. A remote attacker can exploit this flaw by inducing a user to visit a crafted HTML page, resulting in unauthorized reading of potentially sensitive information from browser process memory. The vulnerability is classified as CWE-200 (Information Exposure) with a CVSS 3.1 score of 6.5 (Medium severity, High per Chromium's internal severity scale). The attack vector is network-based, requires low attack complexity, no privileges, and user interaction. The confidentiality impact is high with no integrity or availability impact. Google resolved this in Chrome stable channel version 148.0.7778.216, published May 28, 2026. The underlying Chromium issue is tracked as bug 512995705. No active exploitation or ransomware campaign use has been confirmed.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later immediately
  • Verify Chrome auto-update is enabled and functioning for managed endpoints
  • For environments with update delays, consider blocking untrusted web content or enforcing site isolation policies
  • Monitor for unusual memory-related crashes in Chrome that could indicate exploitation attempts
  • Review browser memory sandboxing configurations to ensure maximum isolation
  • Apply security updates for Chromium-based browsers (Edge, Brave, Opera) once vendor patches are available

Evidence notes

CVE description confirms Skia inappropriate implementation leading to information disclosure from process memory. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N supports network attack with user interaction, high confidentiality impact. Chromium security severity rated High. Chrome stable channel update 148.0.7778.216 contains the fix. NVD status 'Undergoing Analysis' at time of source publication. CWE-200 (Information Exposure) classified. No KEV entry present.

Official resources

2026-05-28T23:16:56.333Z