CVE-2026-7990 - Vulnerability Details

Description

Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

Published: 2026-05-06

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an insufficient validation of untrusted input in the Chrome Updater on Windows. A local attacker can supply a malicious file that is processed by the updater, causing the operating system to execute code with elevated privileges. The flaw is a classic input‑validation weakness and is catalogued as CWE‑20. As a result, once the malicious file is ingested by the updater, the attacker may gain OS‑level privileges and compromise the integrity and confidentiality of the affected system.

Affected Systems

Google Chrome running on Windows, any version prior to 148.0.7778.96. Users with the older releases are susceptible to this local privilege‑escalation flaw.

Risk and Exploitability

The flaw has a Chromium-reported severity of Medium. The CVSS score is 7.8. No EPSS score is available, indicating an unknown likelihood of exploitation. It is not listed in the CISA KEV catalog, suggesting no current widespread active exploitation. The attack requires local access with the ability to place a file that the Chrome Updater will process. Because of the potential for privilege escalation, the risk to systems with unauthenticated local attackers is high, and remediation is recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.96`	affected	< 148.0.7778.96

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[0,148.0.7778.96)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 148.0.7778.96 or later. This official fix removes the input validation flaw in the Updater.
If an immediate update is not feasible, temporarily disable the Chrome auto‑update service to prevent the updater from processing malicious files.
Run a system integrity scan to detect and remove any unauthorized malicious updater files that may have already been placed on the machine.

Generated by OpenCVE AI on May 7, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6250-1	chromium security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/498892267

History

Thu, 07 May 2026 01:00:00 +0000

Type	Values Removed	Values Added
Title	Local Privilege Escalation via Untrusted Input in Chrome Updater

Wed, 06 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Microsoft Microsoft windows

Wed, 06 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Wed, 06 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Untrusted Input in Chrome Updater

Wed, 06 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498892267

Subscriptions

Google Chrome

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-06T18:13:04.329Z

Updated: 2026-05-07T03:56:59.243Z

Reserved: 2026-05-05T22:59:29.150Z

Link: CVE-2026-7990

Vulnrichment

Updated: 2026-05-06T21:34:18.350Z

NVD

Status : Analyzed

Published: 2026-05-06T19:16:49.877

Modified: 2026-05-06T23:20:16.747

Link: CVE-2026-7990

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T00:45:16Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object