Cyber Resilience

CVE-2026-9996

MediumUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0019 8.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-9996 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

OOB read in browser process via crafted HTML page directly enables drive-by compromise (T1189) and extraction of sensitive data from local process memory (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-10930Same product: Apple Macos
CVE-2026-11690Same product: Apple Macos
CVE-2026-11111Same product: Apple Macos
CVE-2026-5282Same product: Apple Macos
CVE-2026-9953Same product: Apple Macos
CVE-2026-5913Same product: Apple Macos
CVE-2026-3061Same product: Apple Macos
CVE-2026-9908Same product: Google Chrome
CVE-2026-11301Same product: Apple Macos
CVE-2026-11279Same product: Apple Macos

Affected Assets

google
chrome
≤ 148.0.7778.216

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References