Description
Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the WebGL subsystem of Google Chrome on Android enables a remote attacker to read data that originates from a different origin by presenting a specially crafted HTML page. This flaw does not grant code execution or privilege escalation; instead, it allows the disclosure of information that should remain isolated, such as data stored in WebGL contexts. It is identified as a CWE‑200 Information Exposure and a CWE‑346 Missing Authentication for a Critical Function, and Chromium lists it as a high‑severity issue.

Affected Systems

Android installations running Google Chrome versions earlier than 148.0.7778.216 are affected. The vulnerability exists only in the Android build of Chrome and does not impact desktop or other operating systems.

Risk and Exploitability

An attacker can trigger the data leak by serving or visiting a malicious HTML page that exploits the WebGL bug. No special privileges or authentication are required, making the attack possible from any website the user opens. The CVSS score of 6.5 indicates a moderate‑to‑high risk, while an EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 29, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to 148.0.7778.216 or newer to apply the fix.
  • If an update is not yet available, disable WebGL by navigating to chrome://flags and turning off the WebGL enable flag.
  • Consider using an alternative browser that does not expose WebGL or applies stricter cross‑origin policies.

Generated by OpenCVE AI on May 29, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title WebGL Cross‑Origin Data Leak via Crafted Page in Chrome on Android chromium-browser: Inappropriate implementation in WebGL
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title WebGL Cross‑Origin Data Leak via Crafted Page in Chrome on Android
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:27:30.252Z

Reserved: 2026-05-28T17:24:53.312Z

Link: CVE-2026-9929

cve-icon Vulnrichment

Updated: 2026-05-29T16:27:19.874Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T23:16:50.997

Modified: 2026-05-29T02:35:42.620

Link: CVE-2026-9929

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:30:02Z

Weaknesses