How is CVE-2026-9872 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's device must be able to reach attacker-controlled web content. Authentication (not-required): No account or credential is needed; any anonymous remote attacker can attempt the exploit. Victim interaction (required): The victim must navigate to or be redirected to the attacker's crafted HTML page, requiring at least one user action such as clicking a link. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other hard-to-control environmental factors.

What is the impact of CVE-2026-9872?

Attacker escapes the Chrome GPU sandbox and gains code execution in a higher-privilege host process on the Android device. Confidentiality is fully compromised: the attacker can read files, session tokens, and application data accessible to the host process. Integrity is fully compromised: the attacker can write or modify files, credentials, and persisted application data on the device. Availability is fully compromised: the attacker can crash or disable the browser process or other services accessible from the escaped context.

Back to search

CRITICALCVE-2026-9872Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9872: Out of bounds write in GPU in Google Chrome on Android prior to 148

Out of bounds write in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Out-of-bounds write in the GPU component of Google Chrome on Android (versions before 148.0.7778.216) allows a remote attacker to escape the browser sandbox by tricking a user into visiting a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates the attacker requires no authentication and exploits the vulnerability over the network, with only a single user interaction needed. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact beyond the sandbox boundary, enabling code execution in the host process context. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9872 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android container images that bundle a Chrome component. HarborGuard's registry and pipeline scanners are capable of flagging any image carrying a Chrome version below 148.0.7778.216 as soon as the advisory enters the feed.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.6 (Critical), with per-environment compliance policy weighting applied to prioritize the finding according to each customer organization's risk thresholds. Routing to the appropriate team inbox within each customer org is handled automatically based on configured escalation rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page, so the victim's device must be able to reach attacker-controlled web content.
AuthenticationNot required
No account or credential is needed; any anonymous remote attacker can attempt the exploit.
Victim interactionRequired
The victim must navigate to or be redirected to the attacker's crafted HTML page, requiring at least one user action such as clicking a link.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other hard-to-control environmental factors.

Blast Radius

Attacker escapes the Chrome GPU sandbox and gains code execution in a higher-privilege host process on the Android device.
Confidentiality is fully compromised: the attacker can read files, session tokens, and application data accessible to the host process.
Integrity is fully compromised: the attacker can write or modify files, credentials, and persisted application data on the device.
Availability is fully compromised: the attacker can crash or disable the browser process or other services accessible from the escaped context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9872 is active across all connected registries and CI pipelines, matching images that bundle Chrome below 148.0.7778.216 within minutes of feed ingestion. Where compliance policy permits, a patched rebuild at 148.0.7778.216 is queued automatically; for customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues. Customers who manage remediation manually can use HarborGuard's finding detail to pinpoint every image and pipeline stage carrying the affected Chrome version and prioritize accordingly given the Critical CVSS score and sandbox-escape impact.

See how HarborGuard automates this

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available