How is CVE-2026-9898 exploited?

Network reachability (required): The attacker must deliver a crafted HTML page over the network to a target running the affected Chrome version on Android. Authentication (not-required): No account or credential is needed to serve the malicious page; any unauthenticated remote attacker can attempt delivery. Victim interaction (required): The target user must navigate to or be social-engineered into loading a specially crafted HTML page in the affected browser. Attack complexity (info): Exploitation is high complexity because the attacker must first have compromised the Chrome renderer process before attempting the GPU sandbox escape, introducing a significant precondition.

What is the impact of CVE-2026-9898?

A successful attacker escapes the Chrome browser sandbox on the target Android device, gaining code execution in a more privileged context outside the renderer. With high confidentiality impact, the attacker reads data accessible beyond the sandbox boundary, including session tokens, credentials, and on-device storage. With high integrity impact, the attacker modifies files, application data, or system state outside the browser sandbox. With high availability impact, the attacker disrupts or crashes processes and services on the affected device beyond the browser itself.

Back to search

HIGHCVE-2026-9898Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9898: Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148

Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an insufficient input validation vulnerability in the GPU component of Google Chrome on Android, affecting versions prior to 148.0.7778.216. The flaw is reachable over the network but requires the attacker to have already compromised the Chrome renderer process and to trick the user into visiting a crafted HTML page. Successful exploitation allows a full sandbox escape, giving the attacker code execution outside the browser sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-9898 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built Android-based container images embedding Chrome. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 8.3 (HIGH) and weighting that score against each customer environment's compliance policy to prioritize routing. Triage tickets can be directed to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available in HarborGuard the moment the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted HTML page over the network to a target running the affected Chrome version on Android.
AuthenticationNot required
No account or credential is needed to serve the malicious page; any unauthenticated remote attacker can attempt delivery.
Victim interactionRequired
The target user must navigate to or be social-engineered into loading a specially crafted HTML page in the affected browser.
Attack complexityDetail
Exploitation is high complexity because the attacker must first have compromised the Chrome renderer process before attempting the GPU sandbox escape, introducing a significant precondition.

Blast Radius

A successful attacker escapes the Chrome browser sandbox on the target Android device, gaining code execution in a more privileged context outside the renderer.
With high confidentiality impact, the attacker reads data accessible beyond the sandbox boundary, including session tokens, credentials, and on-device storage.
With high integrity impact, the attacker modifies files, application data, or system state outside the browser sandbox.
With high availability impact, the attacker disrupts or crashes processes and services on the affected device beyond the browser itself.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9898 is active across all connected registries and build pipelines, matching any image that bundles an affected Chrome version on Android against the published advisory. For environments where images include Chrome as a shipped component, a rebuild targeting the fixed version 148.0.7778.216 is available. For customers who opt into auto-remediation, HarborGuard performs the patched rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage finding is routed to the designated team inbox with full CVSS context and affected image inventory attached.

See how HarborGuard automates this

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available