Description
Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: High)
Published: 2026-04-28
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Race condition in the MHTML processor of Google Chrome allows an attacker who has tricked a user into installing a malicious extension to read cross‑origin data. The attacker crafts a malicious Chrome Extension to trigger the race, causing the extension to gain access to data it should not see. This vulnerability is a race condition (CWE-362) involving improper synchronization (CWE-368) and results in unauthorized disclosure of sensitive information.

Affected Systems

The flaw exists in Google Chrome for desktop, affecting all versions prior to 147.0.7727.138. Any machine running those versions and with the ability to install third‑party extensions is impacted. Upgrading to Chrome 147.0.7727.138 or later resolves the issue.

Risk and Exploitability

The CVSS score is 3.1 (low severity). The EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation. The vulnerability is not listed in CISA KEV. The exploitation requires the user to install a malicious extension, so it depends on social engineering or deceptive content. However, once installed, the attacker can read cross‑origin data from the victim’s browsing context.

Generated by OpenCVE AI on April 29, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Chrome update to version 147.0.7727.138 or later.
  • Ensure extensions are installed only from trusted sources and enforce enterprise approval policies.
  • Monitor for suspicious extensions and immediately block or remove any that appear malicious.

Generated by OpenCVE AI on April 29, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Race Condition in MHTML Handling Allows Cross‑Origin Data Leakage via Malicious Extension chromium-browser: Race in MHTML
Weaknesses CWE-368
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Important

Wed, 29 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Race Condition in MHTML Handling Allows Cross‑Origin Data Leakage via Malicious Extension

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Tue, 28 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: High)
Weaknesses CWE-362
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-29T13:20:18.258Z

Reserved: 2026-04-28T20:02:43.908Z

Link: CVE-2026-7351

cve-icon Vulnrichment

Updated: 2026-04-29T13:20:04.159Z

cve-icon NVD

Status : Received

Published: 2026-04-28T23:16:22.680

Modified: 2026-04-29T14:16:22.253

Link: CVE-2026-7351

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-7351 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses