CVE-2026-7997 - Vulnerability Details

Description

Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Published: 2026-05-06

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Chrome Updater on macOS validates untrusted input poorly, enabling a local attacker to replace or inject update files that are executed with Chrome’s privileges. This flaw permits an attacker who can place a malicious file in the updater directory to run code with the same rights as the user running Chrome, effectively achieving OS‑level privilege escalation. The weakness is a classic improper input validation bug, classified as CWE‑20. The official Chromium severity for this issue is Low, but the impact of successfully exploiting the flaw is the full compromise of the affected machine.

Affected Systems

Google Chrome versions on macOS older than 148.0.7778.96 are affected. The vulnerability resides in the updater component that accepts files from the local filesystem without adequate validation, allowing any user with write access to the updater folder to introduce and execute malicious updates.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity level. The vulnerability requires local access to place a malicious file in the Chrome Updater location. No publicly known exploit is available and the EPSS score is not provided. The vulnerability is not listed in the CISA KEV catalog. Therefore, while the potential impact of exploitation is high—giving the attacker system‑wide control—the risk of compromise is confined to environments where a local attacker can write to the updater directory. The official Chromium severity of Low reflects that the flaw is non‑remote but still potentially catastrophic if the local conditions are met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.96`	affected	< 148.0.7778.96

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[0,148.0.7778.96)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install Google Chrome 148.0.7778.96 or later to remove the insecure updater logic.
Clear the Chrome Updater directory of any suspicious or unknown files before reinstalling the updated Chrome version.
Configure macOS to run Chrome under a non‑privileged user or enforce sandbox restrictions to limit the blast radius of local exploitation.

Generated by OpenCVE AI on May 7, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6250-1	chromium security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/487960705

History

Thu, 07 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Title	Local Privilege Escalation via Untrusted Input in Chrome Updater on macOS

Wed, 06 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::*
Vendors & Products		Apple Apple macos

Wed, 06 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Untrusted Input in Chrome Updater on macOS

Wed, 06 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487960705

Subscriptions

Apple Macos

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-06T18:13:06.912Z

Updated: 2026-05-07T03:56:57.063Z

Reserved: 2026-05-05T22:59:30.933Z

Link: CVE-2026-7997

Vulnrichment

Updated: 2026-05-06T21:26:17.439Z

NVD

Status : Analyzed

Published: 2026-05-06T19:16:50.607

Modified: 2026-05-06T23:18:39.007

Link: CVE-2026-7997

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object