Description
Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer uninitialized use flaw in Google Chrome for iOS allows a malicious web page to execute arbitrary code inside the Chrome sandbox when a user performs specific UI gestures, such as scrolling or tapping. The vulnerability is CWE‑457 and has a Chromium severity rating of High.

Affected Systems

Google Chrome on iOS versions earlier than 148.0.7778.216 are affected. Users running these builds of the browser are exposed to the risk described above.

Risk and Exploitability

Because the flaw can be triggered by a crafted HTML page viewed in Chrome, a remote attacker who can persuade a user to visit such a page and interact with the browser interface can gain code execution privileges inside the sandbox. No publicly known exploits are listed in the CISA KEV catalog, and the EPSS score is < 1%, while the CVSS score of 7.5 indicates a high‑medium severity level. Users with updated iOS versions and recent Chrome releases are not vulnerable.

Generated by OpenCVE AI on May 29, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update for iOS (148.0.7778.216 or newer).
  • If an update is not immediately available, consider uninstalling Chrome or blocking access to untrusted sites using iOS content‑filtering settings.
  • Keep the device’s iOS operating system up‑to‑date and enable any built‑in web‑content restrictions to reduce exposure to malicious pages.

Generated by OpenCVE AI on May 29, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Uninitialized Use Vulnerability in Google Chrome on iOS Enables Remote Code Execution via Crafted HTML

Fri, 29 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Use Vulnerability in Google Chrome on iOS Enables Remote Code Execution via Crafted HTML

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-457
References

Subscriptions

Apple Iphone Os
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T12:38:25.071Z

Reserved: 2026-05-28T17:25:02.357Z

Link: CVE-2026-9963

cve-icon Vulnrichment

Updated: 2026-05-29T12:38:19.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T23:16:54.527

Modified: 2026-05-29T16:06:09.290

Link: CVE-2026-9963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses