Description
Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the WebGL subsystem of Google Chrome on Android enables a remote attacker to read data that originates from a different origin by presenting a specially crafted HTML page. This flaw does not grant code execution or privilege escalation; instead, it allows the disclosure of information that should remain isolated, such as data stored in WebGL contexts. It is identified as CWE‑346 Missing Authentication for a Critical Function and also represents a CWE‑200 Information Exposure weakness, and Chromium lists it as a high‑severity issue.

Affected Systems

Android installations running Google Chrome versions earlier than 148.0.7778.216 are affected. The vulnerability exists only in the Android build of Chrome and does not impact desktop or other operating systems.

Risk and Exploitability

The likely attack vector is a malicious HTML page that exploits the WebGL bug, allowing the attacker to trigger the data leak. It is inferred from the description that no special privileges or authentication are required, making the attack possible from any website the user opens. The CVSS score of 4.3 indicates a moderate risk, while an EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 29, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to 148.0.7778.216 or newer to apply the fix.
  • If an update is not yet available, disable WebGL by navigating to chrome://flags and turning off the WebGL enable flag.
  • Consider using an alternative browser that does not expose WebGL or applies stricter cross‑origin policies.

Generated by OpenCVE AI on May 29, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6316-1 chromium security update
History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title WebGL Cross‑Origin Data Leak via Crafted Page in Chrome on Android chromium-browser: Inappropriate implementation in WebGL
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title WebGL Cross‑Origin Data Leak via Crafted Page in Chrome on Android
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:27:30.252Z

Reserved: 2026-05-28T17:24:53.312Z

Link: CVE-2026-9929

cve-icon Vulnrichment

Updated: 2026-05-29T16:27:19.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:50.997

Modified: 2026-06-01T18:47:48.787

Link: CVE-2026-9929

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-346

    Origin Validation Error