CVE-2026-9122 Overview
CVE-2026-9122 is an out-of-bounds read vulnerability [CWE-125] in the GPU component of Google Chrome on macOS. The flaw affects Chrome versions prior to 148.0.7778.179. A remote attacker can exploit the issue by serving a crafted HTML page to a targeted user. Successful exploitation discloses potentially sensitive information from process memory. Chromium rates the security severity as Medium. The vulnerability requires user interaction, since the victim must visit attacker-controlled content. No public exploit code or in-the-wild exploitation has been reported.
Critical Impact
Remote attackers can read memory contents from the Chrome GPU process by tricking users into loading a malicious HTML page, exposing data such as session artifacts or cross-origin content.
Affected Products
- Google Chrome for macOS prior to 148.0.7778.179
- Chromium-based browsers on macOS using vulnerable GPU code paths
- Downstream macOS browser builds that have not merged the upstream fix
Discovery Timeline
- 2026-05-20 - CVE-2026-9122 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9122
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] within Chrome's GPU process on macOS. The GPU process handles rendering, compositing, and WebGL or related graphics workloads on behalf of renderer processes. When the affected code path processes a crafted resource referenced from an HTML page, it reads memory beyond the bounds of an intended buffer. The returned data can be relayed back to attacker-controlled JavaScript, which converts a local read into a remote information disclosure primitive.
The issue does not directly enable code execution or memory corruption. However, leaked process memory can include pointers, texture data, or other artifacts that aid in defeating address space layout randomization (ASLR) and chaining additional Chrome bugs. Google fixed the issue in Chrome 148.0.7778.179 on the stable channel for desktop.
Root Cause
The root cause is missing or insufficient bounds validation before a read operation in a GPU code path. The vulnerable function trusts size or offset values derived from attacker-influenced inputs, then reads adjacent memory. See the Chromium Issue Tracker Entry for the upstream defect record.
Attack Vector
Attack delivery is remote and requires user interaction. The attacker hosts or injects a crafted HTML page that triggers the vulnerable GPU code path. When the victim loads the page in a vulnerable Chrome build on macOS, the GPU process reads out-of-bounds memory. The attacker harvests the leaked bytes through scripted graphics APIs exposed to the page.
The vulnerability is described in prose only because no verified proof-of-concept code is published. Refer to the Google Blog Chrome Update for vendor details.
Detection Methods for CVE-2026-9122
Indicators of Compromise
- Chrome GPU process crashes or unexpected restarts on macOS endpoints correlated with browsing activity
- Outbound connections from Chrome to untrusted domains immediately preceding GPU process anomalies
- Browser telemetry showing Chrome versions earlier than 148.0.7778.179 on macOS hosts
Detection Strategies
- Inventory installed Chrome versions across macOS fleets and flag builds below 148.0.7778.179
- Monitor endpoint logs for repeated Google Chrome Helper (GPU) faults that may indicate exploitation attempts
- Correlate web proxy logs with visited URLs hosting heavy WebGL or canvas content from low-reputation domains
Monitoring Recommendations
- Enable Chrome enterprise reporting to centrally collect version and crash telemetry
- Forward macOS unified logs and EDR telemetry to a central data lake for retrospective hunting
- Alert on Chrome processes spawning unexpected child processes or writing to unusual file paths after page loads
How to Mitigate CVE-2026-9122
Immediate Actions Required
- Update Google Chrome on macOS to version 148.0.7778.179 or later on all managed endpoints
- Restart Chrome after the update so the patched GPU process binary is loaded
- Audit any Chromium-derived browsers on macOS and apply equivalent upstream fixes
Patch Information
Google released the fix in the stable channel update for desktop documented in the Google Blog Chrome Update. Administrators should ensure that Chrome auto-update is functional or push the update through MDM tooling such as Jamf, Intune, or Kandji.
Workarounds
- Restrict browsing to trusted sites until the patched Chrome build is deployed
- Disable GPU acceleration via the --disable-gpu command-line flag or enterprise policy as a temporary control
- Use macOS application allowlisting to block execution of outdated Chrome binaries
# Configuration example: enforce minimum Chrome version via macOS configuration profile
defaults write com.google.Chrome TargetVersionPrefix -string "148.0.7778.179"
defaults write com.google.Chrome HardwareAccelerationModeEnabled -bool false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
