Description
Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read vulnerability in the WebGL implementation of Google Chrome for Android allows a remote attacker to exfiltrate cross‑origin data through a specially crafted HTML page. The flaw causes the graphics engine to read memory beyond the intended buffer, exposing sensitive information that should be protected by the same‑origin policy. This represents a privacy breach and confidentiality risk that can be triggered simply by loading a malicious webpage.

Affected Systems

All Android installations of Google Chrome prior to version 148.0.7778.216 are vulnerable when they load a page with crafted WebGL requests. Versions 148.0.7778.216 and later contain the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale exploitation yet. Exploitation requires no local privileges, only that a user visits a malicious webpage in the affected browser.

Generated by OpenCVE AI on May 29, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.216 or later to eliminate the out‑of‑bounds read error.
  • As a temporary measure, disable WebGL via chrome://flags or equivalent browser settings to prevent out‑of‑bounds reads until the update is applied.
  • Keep monitoring Chrome release notes for any further patches or security advisories related to WebGL issues.

Generated by OpenCVE AI on May 29, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Out-of-bounds Read in Chrome WebGL Allows Cross-Origin Data Leakage chromium-browser: Out of bounds read in WebGL
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Out-of-bounds Read in Chrome WebGL Allows Cross-Origin Data Leakage

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:25:04.350Z

Reserved: 2026-05-28T17:24:51.240Z

Link: CVE-2026-9919

cve-icon Vulnrichment

Updated: 2026-05-29T16:25:00.600Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:49.990

Modified: 2026-05-29T18:17:14.817

Link: CVE-2026-9919

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9919 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:45:06Z

Weaknesses