Cyber Resilience

CVE-2026-9989

MediumUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0011 1.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-9989 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Google Chrome. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

SOP bypass in browser media handling directly enables drive-by compromise via malicious web content.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-11693Same product: Apple Macos
CVE-2022-0806Same product: Apple Macos
CVE-2022-0799Same product: Apple Macos
CVE-2022-0791Same product: Apple Macos
CVE-2022-0796Same product: Apple Macos
CVE-2022-0805Same product: Apple Macos
CVE-2022-0803Same product: Apple Macos
CVE-2022-0798Same product: Apple Macos
CVE-2022-0797Same product: Apple Macos
CVE-2022-0807Same product: Apple Macos

Affected Assets

google
chrome
≤ 148.0.7778.216 · ≤ 148.0.7778.215

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (3 rules)
  • V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-346
  • V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-346
  • V-248827 OL 8 must not have the rsh-server package installed. via CWE-346

References