Description
Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient policy enforcement bug in Chrome’s DirectSockets component permits a crafted Chrome Extension to manipulate the browser’s communication channel, enabling arbitrary reading and writing of data within the browser process. The flaw is associated with both CWE‑1220 (Insufficient Policy Enforcement) and CWE‑20 (Improper Input Validation), allowing a remote attacker—assuming the user installs the malicious extension—to access sensitive information or inject harmful content, thus compromising user data and browser integrity.

Affected Systems

Google Chrome desktop releases earlier than version 148.0.7778.96 are affected. No other Google products or third‑party browsers are currently known to be impacted.

Risk and Exploitability

The vulnerability requires the user to install a specially crafted extension, after which the attacker can read or modify data without further privileges. Because the EPSS score is 0.038% and the issue is not listed in CISA/KEV, the principal indicators of risk are the medium CVSS score of 5.4 and Chromium’s Medium severity rating. The attack vector is user interaction combined with the malicious extension, reducing the bandwidth of successful exploitation to scenarios where the user grants the extension permission.

Generated by OpenCVE AI on May 9, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome update that includes the DirectSockets policy fix.
  • Remove any Chrome extensions that were installed from untrusted or unknown sources.
  • Configure enterprise Chrome policy to block installations of extensions from unknown developers and enforce auto‑update for all extensions.

Generated by OpenCVE AI on May 9, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in DirectSockets
Weaknesses CWE-1220
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 07 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title DirectSockets Policy Flaw in Chrome Enabling Arbitrary Read/Write via Malicious Extensions

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title DirectSockets Policy Flaw in Chrome Enabling Arbitrary Read/Write via Malicious Extensions

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:54:42.375Z

Reserved: 2026-05-05T22:59:21.337Z

Link: CVE-2026-7962

cve-icon Vulnrichment

Updated: 2026-05-06T19:29:51.244Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:46.290

Modified: 2026-05-07T02:02:56.917

Link: CVE-2026-7962

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-7962 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:15:06Z

Weaknesses