PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9991 Google CVE debrief

A cross-origin data leak vulnerability in Google Chrome's media implementation on Windows, rated Low severity (CVSS 3.1) with a High Chromium security severity. The flaw existed in Chrome versions prior to 148.0.7778.216 and could be exploited by a remote attacker who had already compromised the renderer process, using a crafted HTML page to leak cross-origin data. The vulnerability was published on May 28, 2026, and modified on May 29, 2026. It is currently undergoing analysis in the NVD and has not been added to the CISA KEV catalog. The root cause is categorized as information exposure (CWE-200) due to inappropriate implementation in the media component.

Vendor
Google
Product
Chrome
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Google Chrome on Windows endpoints, particularly those with security models dependent on same-origin policy enforcement for media resources. Security teams should note the discrepancy between Chromium's High severity rating and NVD's Low CVSS score when prioritizing patch deployment. The renderer-process prerequisite limits widespread exploitability but does not eliminate risk for targeted attacks.

Technical summary

The vulnerability resides in the media implementation of Google Chrome on Windows. An attacker who has already achieved renderer process compromise can craft a malicious HTML page that triggers inappropriate media handling, resulting in leakage of cross-origin data. The attack requires user interaction and high complexity, with the renderer compromise serving as a prerequisite condition. The fix was implemented in Chrome 148.0.7778.216.

Defensive priority

moderate

Recommended defensive actions

  • Update Google Chrome on Windows to version 148.0.7778.216 or later to remediate this vulnerability
  • Apply the Stable Channel update referenced in the Chrome release notes
  • Monitor for additional Chromium security updates that may address related media component issues
  • Review browser security configurations and consider site isolation policies to limit renderer process compromise impact
  • Assess whether enterprise deployments require accelerated patching given the High Chromium security severity rating despite the Low CVSS score

Evidence notes

The CVE description confirms this is a renderer-process-compromise scenario requiring prior attacker access to the renderer. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) reflects network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and low confidentiality impact with no integrity or availability impact. The Chromium security severity of High contrasts with the NVD CVSS Low rating, indicating internal Chromium risk assessment differs from standardized scoring.

Official resources

Google Chrome Stable Channel update for desktop, released May 2026