Description
Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported race condition in Chrome’s WebRTC implementation exposes a remote threat actor with the ability to read cross‑origin data triggered by a specially crafted HTML page. The flaw relies on a timing mismatch inside the WebRTC stack and can be exploited without privileged access, leading to a breach of confidentiality for data protected by the same‑origin policy. The weakness is identified as CWE‑362, a classic race condition, and also falls under CWE‑366, indicating a potential use of objects after exposure.

Affected Systems

Google Chrome for Windows, any build prior to 148.0.7778.216, including older stable releases.

Risk and Exploitability

The vulnerability is classified as high severity by the Chromium security team. Exploitation requires the victim to visit a malicious page that harnesses WebRTC; it does not provide remote code execution or privilege escalation. The EPSS score is <1%, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation data has yet been documented. However, the attack vector is remotely accessible via a standard web page, implying that any user who loads an untrusted site could become a victim. The CVSS score of 3.1 indicates low severity exposure.

Generated by OpenCVE AI on May 29, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.216 or later to obtain the fixed WebRTC implementation.
  • If you cannot upgrade immediately, disable WebRTC in Chrome by setting the "WebRTC" flag to Disabled or install a reputable extension that blocks WebRTC calls.
  • Use browser‑level or network‑level controls (e.g., group policy or firewall rules) to restrict access to WebRTC‑related protocols if disabling is not feasible.

Generated by OpenCVE AI on May 29, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Race Condition in WebRTC Exposes Cross‑Origin Data chromium-browser: Race in WebRTC
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Race Condition in WebRTC Exposes Cross‑Origin Data

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-362
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:31:16.170Z

Reserved: 2026-05-28T17:25:00.792Z

Link: CVE-2026-9959

cve-icon Vulnrichment

Updated: 2026-05-29T16:31:12.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:54.100

Modified: 2026-05-29T20:38:45.123

Link: CVE-2026-9959

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses