PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9985 Google CVE debrief

A high-severity information disclosure vulnerability in Google Chrome on ChromeOS, published 2026-05-28 and modified 2026-05-29. Insufficient validation of untrusted input in the Media component allows a remote attacker who has already compromised the renderer process to extract potentially sensitive information from process memory via a crafted HTML page. The vulnerability is rated CVSS 5.3 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating high attack complexity requiring user interaction but no privileges. Affected versions are prior to ChromeOS 148.0.7778.216. The underlying weakness is categorized as CWE-20 (Improper Input Validation). No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA KEV.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations and individuals running ChromeOS devices, particularly those handling sensitive data in browser sessions. Security teams managing ChromeOS enterprise deployments should prioritize patch verification given the high confidentiality impact despite medium CVSS score. Threat modelers should account for renderer compromise as a stepping stone to memory disclosure.

Technical summary

The vulnerability exists in the Media component of Google Chrome on ChromeOS where untrusted input is not sufficiently validated. An attacker who has already achieved renderer process compromise can leverage this flaw to read potentially sensitive information from process memory. The attack vector is network-based with high complexity, requiring user interaction (such as visiting a crafted HTML page) but no authenticated privileges. Successful exploitation does not affect integrity or availability per the CVSS vector, but confidentiality impact is rated high. The fix was released in ChromeOS stable channel version 148.0.7778.216.

Defensive priority

medium

Recommended defensive actions

  • Update ChromeOS to version 148.0.7778.216 or later as soon as updates are available through standard ChromeOS release channels
  • Restrict execution of untrusted HTML content and renderer processes using site isolation policies and content security policies where technically feasible
  • Monitor for anomalous renderer process behavior or unexpected memory access patterns that could indicate exploitation attempts
  • Review and apply principle of least privilege for web content execution environments to limit impact of renderer compromise
  • Validate that enterprise-managed ChromeOS devices receive the security update through organizational update policies

Evidence notes

CVE description and metadata sourced from NVD official record. Vendor attribution to Google Chrome/ChromeOS derived from CVE description and Chrome release blog reference. CVSS vector and weakness data from NVD source item metadata. Chromium security severity rating of High is explicitly noted in the CVE description despite the CVSS 5.3 Medium score.

Official resources

2026-05-28T23:16:56.740Z