Description
Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in the Permissions feature of Google Chrome prior to version 148.0.7778.96 can allow an attacker on the same local network segment to initiate malicious network traffic and extract data that belongs to a different origin. The flaw is a classic input validation weakness (CWE‑20) and was rated as medium severity by Chromium.

Affected Systems

All installations of Google Chrome that have not been updated to at least version 148.0.7778.96 are vulnerable. This includes desktop clients on Windows, macOS, Linux, and related mobile variants that have not applied the latest stable channel update.

Risk and Exploitability

The vulnerability requires an attacker to be on the same local network segment and to be able to send crafted network traffic to Chrome. No public exploit code or remote code execution capability is hinted, and EPSS data is unavailable, though the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 4.3 indicates a medium severity risk. The attack vector is local and thus easier to trigger in unprotected, shared‑network environments, making the risk moderate to high for networks that allow unmanaged devices to communicate with the browser.

Generated by OpenCVE AI on May 7, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later when it becomes available in your operating system’s package manager or Chrome's own updater.
  • If a timely update is not possible, disable or restrict the Permissions feature via enterprise policy or through Chrome’s local policy settings to limit the ability to process untrusted input.
  • Monitor network traffic for malicious activity that could indicate exploitation attempts, and apply network segmentation or firewall rules to reduce the attack surface in local network segments.

Generated by OpenCVE AI on May 7, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Local Network Data Leakage via Permissions Feature in Google Chrome

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:54:51.757Z

Reserved: 2026-05-05T22:59:21.074Z

Link: CVE-2026-7961

cve-icon Vulnrichment

Updated: 2026-05-06T19:30:48.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:46.150

Modified: 2026-05-07T02:03:31.953

Link: CVE-2026-7961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:45:16Z

Weaknesses