Description
Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation within the Companion component of Google Chrome on macOS, when a version earlier than 148.0.7778.96 is used, can allow a remote attacker to perform privileged system‑level actions. Malicious traffic can trigger the flaw to elevate the attacker’s permissions to those of the operating system. This leads to potential full compromise of the affected machine, exposing all files and services to the attacker.

Affected Systems

Google Chrome for macOS. Versions prior to 148.0.7778.96 are affected. All installations that run a vulnerable Chrome build on macOS are at risk until updated to the patched version.

Risk and Exploitability

The vulnerability is remotely exploitable via network traffic targeting the Chrome Companion interface. Attackers would need to reach the victim’s machine via a network channel that the compromised browser accepts, after which they can trigger the flaw to gain operating‑system privileges. This can lead to full compromise of the affected machine, exposing all files and services to the attacker. The lack of an assigned EPSS score remains unknown, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 03:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on macOS to version 148.0.7778.96 or later
  • Disable the Companion feature in Chrome preferences until the update is applied
  • Restrict incoming traffic to Chrome’s Companion ports via firewall or network segmentation until the patch is installed

Generated by OpenCVE AI on May 7, 2026 at 03:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper Implementation in Chrome Companion on macOS

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious Network Traffic in Chrome Companion on Mac
Weaknesses CWE-264

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Malicious Network Traffic in Chrome Companion on Mac
Weaknesses CWE-264

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:57:00.415Z

Reserved: 2026-05-05T22:59:25.764Z

Link: CVE-2026-7978

cve-icon Vulnrichment

Updated: 2026-05-06T21:36:50.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:48.670

Modified: 2026-05-06T23:23:59.177

Link: CVE-2026-7978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T03:15:20Z

Weaknesses