CVE-2026-9989 - Vulnerability Details

- chromium-browser: Inappropriate implementation in Media

Description

Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High)

Published: 2026-05-28

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An inappropriate implementation in the Media component of Google Chrome before version 148.0.7778.216 allows a remote attacker to bypass the same-origin policy through a carefully crafted video file. The flaw enables the attacker to access resources and execute scripts from domains that the victim’s browser normally protects, potentially leading to data theft or unauthorized code execution. The weakness is a form of improper access control, as described by CWE-346.

Affected Systems

Google Chrome desktop clients running any operating system, on any platform, on versions prior to 148.0.7778.216 are affected. The vulnerability applies to media handling of video files delivered to the browser.

Risk and Exploitability

Chromium classifies this issue with high severity, reflected by a CVSS score of 9.3. The likely exploitation vector is a remote attacker who can host or serve a malicious video file that the victim’s Chrome downloads or plays. The EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. Given this high severity rating, the risk of exploitation is significant if an attacker can supply the crafted file to a user’s Chrome browser. No public exploit is currently documented, but the attack could be automated once the media decoding chain is triggered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.216`	affected	< 148.0.7778.216

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.216,148.0.7778.216)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.216 or later, which contains the fix for the media decoding flaw.
Ensure automatic updates are enabled so that Chrome receives future security patches promptly.
If an immediate upgrade is impossible, restrict or disable media file auto‑play and prevent untrusted video download from unverified sources to reduce the chance that the vulnerable decoding path is exercised.

Generated by OpenCVE AI on May 29, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html
https://issues.chromium.org/issues/513054053
https://nvd.nist.gov/vuln/detail/CVE-2026-9989
https://www.cve.org/CVERecord?id=CVE-2026-9989

History

Fri, 29 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Fri, 29 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Fri, 29 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Same-origin policy bypass via crafted video file in Google Chrome	chromium-browser: Inappropriate implementation in Media
Weaknesses		CWE-346
References		https://nvd.nist.gov/vuln/detail/CVE-2026-9989 https://www.cve.org/CVERecord?id=CVE-2026-9989
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}` threat_severity `Important`

Fri, 29 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title		Same-origin policy bypass via crafted video file in Google Chrome
First Time appeared		Google Google chrome
Weaknesses		CWE-284
Vendors & Products		Google Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513054053

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-28T22:25:47.265Z

Updated: 2026-05-29T18:07:39.713Z

Reserved: 2026-05-28T17:25:08.852Z

Link: CVE-2026-9989

Vulnrichment

Updated: 2026-05-29T18:07:30.448Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:57.140

Modified: 2026-05-29T19:16:31.457

Link: CVE-2026-9989

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-9989 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T16:45:03Z

Weaknesses

CWE-346

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object