CVE-2026-9990 Google CVE debrief

Who should care

macOS users and administrators running Google Chrome; organizations with bring-your-own-device policies; security teams monitoring browser-based attack vectors

Technical summary

The vulnerability is a use-after-free (CWE-416) in the WebAppInstalls component of Google Chrome on macOS. It requires a remote attacker to convince a user to perform specific UI gestures, after which a crafted HTML page can trigger heap corruption. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects network attack vector, high attack complexity, no privileges required, user interaction required, and high impacts to confidentiality, integrity, and availability. The fix is available in Chrome stable channel version 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

• Update Google Chrome on macOS to version 148.0.7778.216 or later
• Restrict execution of untrusted HTML content and limit user interaction with untrusted web applications
• Monitor for anomalous browser crashes or unexpected heap corruption indicators on macOS endpoints
• Review browser extension and web app installation policies to reduce attack surface
• Apply principle of least privilege for user accounts to limit impact of potential browser compromise

Evidence notes

CVE published 2026-05-28; modified 2026-05-29. Vendor attribution derived from reference domain 'Googleblog' with low confidence and flagged for review. Chrome release notes and Chromium issue tracker confirm Google as the vendor.

Official resources