Description
Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uninitialized variable use in the WebGL API in Google Chrome for Android opens a path for attackers to read process memory. The flaw enables a remote attacker to craft a malicious HTML page that triggers the uninitialized WebGL code, leaking potentially sensitive data. The weakness is a classic uninitialized variable defect (CWE-457) and a missing bounds check (CWE-824), and is classified by Chromium as a high-severity issue.

Affected Systems

The vulnerability affects Google Chrome on Android devices running any version prior to 148.0.7778.216. All users of Chrome on Android using these releases are at risk.

Risk and Exploitability

The EPSS score of <1% indicates a very low probability that this vulnerability will be exploited in the wild, and the vulnerability is not cited in the CISA KEV catalog. The CVSS score of 6.5 signals moderate-to-high severity, and Chromium’s high severity classification highlights the importance of this issue. An attacker who can host or convince a user to visit a malicious page can read memory contents, potentially compromising credentials or other sensitive information. Updating to the fixed version or later mitigates the risk.

Generated by OpenCVE AI on May 29, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.216 or later.
  • If immediate update is not possible, avoid browsing from suspicious or untrusted sites that could deliver malicious WebGL content.
  • Consider disabling WebGL in browser settings or using extensions that block WebGL execution until a patched Chrome release becomes available.

Generated by OpenCVE AI on May 29, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uninitialized WebGL Use Allows Remote Memory Disclosure in Chrome on Android chromium-browser: Uninitialized Use in WebGL
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Uninitialized WebGL Use Allows Remote Memory Disclosure in Chrome on Android

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:24:36.584Z

Reserved: 2026-05-28T17:24:50.807Z

Link: CVE-2026-9917

cve-icon Vulnrichment

Updated: 2026-05-29T16:24:33.403Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:49.797

Modified: 2026-05-29T18:17:14.657

Link: CVE-2026-9917

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9917 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:45:16Z

Weaknesses