Description
Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from an inappropriate implementation in Chrome’s Chromoting component on Windows, enabling a local attacker to execute a specially crafted file that escalates privileges to OS‑level. This grants the attacker capabilities to modify system settings, install software, or access sensitive data under the victim’s account, effectively compromising the integrity and confidentiality of the affected machine. The weakness aligns with a typical privilege‑elevation vulnerability.

Affected Systems

Google Chrome for Windows versions earlier than 148.0.7778.96 are susceptible. Systems running any older stable release that have Chromoting enabled may be impacted. The issue is confined to Windows platforms using Chrome as the browser.

Risk and Exploitability

The issue has a CVSS score of 7.8, reflecting a high severity assessment; it has no reported EPSS score and is not listed in the CISA KEV catalog, yet the local nature of the flaw still poses a significant risk in environments where users execute untrusted files. An attacker must have local access to place a malicious file or persuade a user to run Chrome with the harmful payload. Once executed, the elevated rights can lead to unchecked system modifications.

Generated by OpenCVE AI on May 7, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest stable release that includes the fix for the Chromoting privilege escalation vulnerability. This may require upgrading to version 148.0.7778.96 or later.
  • If an immediate update is not possible, disable the Chromoting feature in Chrome’s settings or remove any plugins/extensions that expose Chromoting functionality, limiting the attacker’s ability to leverage the flaw.
  • Ensure the Windows operating system and any related security patches are current to reduce the attack surface for privilege‑elevation exploits, and consider applying local OOB protection mechanisms such as AppLocker or Windows Defender Application Control to prevent execution of malicious files.

Generated by OpenCVE AI on May 7, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Title Chrome Chromoting Privilege Escalation on Windows via Malicious File

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Malicious File in Chrome Chromoting on Windows
Weaknesses CWE-285

Wed, 06 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Malicious File in Chrome Chromoting on Windows
Weaknesses CWE-269
CWE-285

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:58.154Z

Reserved: 2026-05-05T22:59:30.173Z

Link: CVE-2026-7994

cve-icon Vulnrichment

Updated: 2026-05-06T21:30:55.441Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:50.277

Modified: 2026-05-06T23:19:18.893

Link: CVE-2026-7994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:00:14Z

Weaknesses