How is CVE-2026-9956 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page, so the targeted device must be able to reach attacker-controlled web content. Authentication (not-required): No account or prior authentication is needed; the attacker only needs the victim to visit a malicious page. Victim interaction (required): The attacker must socially engineer the user into performing specific UI gestures within the crafted page before the vulnerability is triggered. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on environmental or timing factors beyond the attacker's direct control, such as specific memory layout conditions in the browser process.

What is the impact of CVE-2026-9956?

The attacker executes arbitrary code within the Chrome browser process on the victim's iOS device. Confidentiality impact is high: the attacker reads browser memory, stored credentials, session tokens, and any data accessible to the Chrome process. Integrity impact is high: the attacker modifies in-process data, injects content, or writes to storage accessible by the browser. Availability impact is high: the attacker crashes or destabilizes the browser process, causing a denial of service to the user.

Back to search

HIGHCVE-2026-9956Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9956: Use after free in iOS in Google Chrome on iOS prior to 148

Use after free in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Use-after-free in Google Chrome on iOS (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code on the affected device. The vulnerability is reachable over the network but requires the attacker to convince a target user to perform specific UI gestures on a crafted HTML page; no prior authentication is needed. Successful exploitation gives the attacker full code execution within the browser process, combining confidentiality, integrity, and availability impact. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9956 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Chrome on iOS base layers. Any image in a customer registry or CI pipeline carrying a Chrome version below 148.0.7778.216 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to surface the right severity tier. Triage routing to the appropriate team inbox inside each customer org is available based on policy configuration.

Available

Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page, so the targeted device must be able to reach attacker-controlled web content.
AuthenticationNot required
No account or prior authentication is needed; the attacker only needs the victim to visit a malicious page.
Victim interactionRequired
The attacker must socially engineer the user into performing specific UI gestures within the crafted page before the vulnerability is triggered.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on environmental or timing factors beyond the attacker's direct control, such as specific memory layout conditions in the browser process.

Blast Radius

The attacker executes arbitrary code within the Chrome browser process on the victim's iOS device.
Confidentiality impact is high: the attacker reads browser memory, stored credentials, session tokens, and any data accessible to the Chrome process.
Integrity impact is high: the attacker modifies in-process data, injects content, or writes to storage accessible by the browser.
Availability impact is high: the attacker crashes or destabilizes the browser process, causing a denial of service to the user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9956 is active across all connected registries and pipelines, matching any image bundling Chrome below 148.0.7778.216 within minutes of scan. A patched-image rebuild at the fixed version is available for affected environments. For customers who opt into auto-remediation, HarborGuard handles the full rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced with severity weighting and fix-version detail so engineering teams can act manually. Until a rebuild is deployed, compensating controls such as network-policy restrictions limiting access to untrusted web origins and container-level egress filtering are worth considering to reduce exposure.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available