Description
Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome contains an input validation flaw in Cast that allows a remote attacker who has already compromised the renderer process to gain higher privileges on the system. The weakness is a classic untrusted input issue (CWE‑20) and is already rated as Low severity by Chromium security. The flaw does not provide network connectivity but enables the attacker to elevate privilege from the renderer to other processes, potentially compromising the host.

Affected Systems

All Google Chrome installations running before version 148.0.7778.96 are affected. This includes desktop releases on Windows, macOS, and Linux where Cast functionality is enabled.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity vulnerability. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits yet. However, the attack requires that the attacker has already obtained control of the renderer process, so the vector is local within a compromised browser session. Immediate patching is recommended to eliminate the possibility of privilege escalation from a malicious web page exploiting this Cast input validation issue.

Generated by OpenCVE AI on May 7, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 148.0.7778.96 or later to apply the Cast input validation fix
  • Ensure that Chrome automatic updates are enabled so future patches are delivered automatically
  • If unable to update, disable Cast functionality or run Chrome in a restricted sandbox to limit renderer privileges

Generated by OpenCVE AI on May 7, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome Cast Input Validation Flaw Enables Privilege Escalation

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Chrome Cast Input Validation Flaw Enables Privilege Escalation

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:54.857Z

Reserved: 2026-05-05T22:59:33.581Z

Link: CVE-2026-8007

cve-icon Vulnrichment

Updated: 2026-05-06T21:19:40.310Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:51.673

Modified: 2026-05-06T22:16:44.870

Link: CVE-2026-8007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses