Critical

Out-of-bounds Read in WebGL in Google Chrome on Android

IdentifiersCVE-2026-9875CWE-125· Out-of-bounds Read

CVE-2026-9875 is a critical out-of-bounds read vulnerability in the WebGL component of Google Chrome on Android prior to version 148.0.7778.216. According to the provided advisories and summaries, the flaw can be triggered by a remote attacker using a crafted HTML page. While detailed root-cause information and the specific vulnerable function have not been publicly disclosed, the issue is characterized as a memory-safety error in WebGL that may permit reading memory outside intended bounds during processing of attacker-controlled web content. Google noted that exploitation of this class of browser flaw could contribute to sandbox escape, remote code execution, or data corruption scenarios.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow a remote attacker to induce an out-of-bounds read in Chrome's WebGL handling on Android when a victim visits a malicious page. The provided sources specifically state that the flaw could potentially be used to perform a sandbox escape. Additional stated consequences for the broader bug class include browser instability, data corruption, and possible exposure of unintended memory contents. Google rated the issue as critical.

Mitigation

If you can’t patch tonight, do this now.

No specific temporary workaround is provided in the supplied advisories. The practical mitigation is to update affected browsers immediately to a fixed version and ensure managed enterprise fleets are not lagging behind approved package catalogs or staged rollout channels. Reducing exposure to untrusted web content may lower risk, but patching is the recommended mitigation.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome on Android to version 148.0.7778.216 or later. For Chromium-based downstream products, apply the corresponding vendor fixes; for example, Microsoft Edge should be updated to version 148.0.3967.97 or later, and Debian chromium packages should be upgraded to the fixed distribution versions referenced by the vendor advisories.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

May 29, 2026

Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical One’s

An out-of-bounds read vulnerability in Chrome's WebGL component that could contribute to sandbox escape, remote code execution, or data corruption via a malicious page.

cyberthroneNews

May 29, 2026

Google Chrome 148 Security Update - TheCyberThrone

A critical out-of-bounds read vulnerability in Chrome WebGL.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-9875

NVD

nvd.nist.gov/vuln/detail/CVE-2026-9875

MITRE CWE · CWE-125

Out-of-bounds Read

Release Notes

chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html

Permissions Required

issues.chromium.org/issues/507508103