PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9989 Google CVE debrief

A same-origin policy bypass in Google Chrome's media handling, rated High severity by Chromium and Medium (6.3) on the CVSS 3.1 scale. The flaw stems from inappropriate implementation in the browser's Media component and can be triggered when a user processes a crafted video file. A remote attacker who convinces a victim to load malicious video content may bypass same-origin protections, potentially leading to cross-origin data leakage or unauthorized actions on behalf of the victim. The vulnerability was addressed in Chrome stable channel version 148.0.7778.216, released per the May 2026 stable channel update.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations relying on Google Chrome for web access, particularly those with users who routinely download or stream video content from external sources. Security teams managing browser update cadence and endpoint hardening should prioritize this patch.

Technical summary

The vulnerability is an inappropriate implementation flaw in Chrome's Media subsystem. A crafted video file can be used to bypass the same-origin policy, a core browser security boundary. The attack requires user interaction (UI:R) and is network-exploitable without privileges (AV:N, PR:N). Successful exploitation may result in limited confidentiality, integrity, and availability impacts (C:L/I:L/A:L). The fix was shipped in Chrome stable version 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later as soon as possible.
  • Verify automatic update settings are enabled for Chrome installations across endpoints.
  • Review browser extension and media playback policies to restrict untrusted video content where feasible.
  • Monitor for anomalous cross-origin requests or unexpected media-handling behavior in security logs.
  • Apply the update to all managed Chrome deployments, including remote and BYOD endpoints, to reduce exposure window.

Evidence notes

CVE description confirms the issue exists in Google Chrome prior to 148.0.7778.216 and is classified as High severity by Chromium. CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L yields a base score of 6.3 (Medium). The weakness is mapped to CWE-346 (Origin Validation Error). Vendor attribution is supported by Chrome release blog and Chromium issue tracker references.

Official resources

2026-05-28