Description
Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in how Google Chrome validates untrusted UI input on Linux and ChromeOS allows a remote attacker to execute arbitrary code, but only when the user performs a specific series of UI gestures after visiting a malicious HTML page. The vulnerability is an input validation weakness (CWE‑20) and is rated medium in Chromium’s severity assessment.

Affected Systems

The issue affects Google Chrome on Linux and ChromeOS platforms, impacting all versions before 148.0.7778.96. No post‑148.0.7778.96 releases are mentioned to be vulnerable.

Risk and Exploitability

Because exploitation requires user interaction with a crafted web page and deliberate UI gestures, the attack surface is limited but the potential impact remains arbitrary code execution. The CVSS score of 8.8 indicates a high severity, whereas Chromium rates the flaw as medium. The EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, and the vendor’s security team has marked the flaw as medium severity. A successful exploit would give the attacker the same privileges as the logged‑in user on the affected device.

Generated by OpenCVE AI on May 7, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest stable Chrome update (148.0.7778.96 or later).
  • Encourage users to avoid performing suspicious UI gestures when browsing unknown sites.
  • Ensure Chrome's automatic update mechanism remains enabled so that future security fixes are applied promptly.

Generated by OpenCVE AI on May 7, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Untrusted UI Input in Chrome on Linux and ChromeOS

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Google chrome Os
Linux
Linux linux Kernel
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:chrome_os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Google chrome Os
Linux
Linux linux Kernel

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Untrusted UI Input in Chrome on Linux and ChromeOS

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome Chrome Os
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:55:55.609Z

Reserved: 2026-05-05T22:59:29.639Z

Link: CVE-2026-7992

cve-icon Vulnrichment

Updated: 2026-05-06T18:49:05.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:50.080

Modified: 2026-05-06T23:19:45.137

Link: CVE-2026-7992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses