Description
Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome contains an input validation flaw in Cast that allows a remote attacker who has already compromised the renderer process to gain higher privileges on the system. The weakness is a classic untrusted input issue (CWE‑20) and also identified as a logic flaw that allows privilege escalation (CWE‑1286). The flaw does not provide network connectivity but enables the attacker to elevate privilege from the renderer to other processes, potentially compromising the host.

Affected Systems

All Google Chrome installations running before version 148.0.7778.96 are affected. This includes desktop releases on Windows, macOS, and Linux where Cast functionality is enabled.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity vulnerability. The EPSS score is <1% and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits yet. However, the attack requires that the attacker has already obtained control of the renderer process, so the vector is local within a compromised browser session. Immediate patching is recommended to eliminate the possibility of privilege escalation from a malicious web page exploiting this Cast input validation issue.

Generated by OpenCVE AI on May 9, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 148.0.7778.96 or later to apply the Cast input validation fix
  • Ensure that Chrome automatic updates are enabled so future patches are delivered automatically
  • If unable to update, disable Cast functionality or run Chrome in a restricted sandbox to limit renderer privileges

Generated by OpenCVE AI on May 9, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in Cast
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome Cast Input Validation Flaw Enables Privilege Escalation

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Chrome Cast Input Validation Flaw Enables Privilege Escalation

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:54.857Z

Reserved: 2026-05-05T22:59:33.581Z

Link: CVE-2026-8007

cve-icon Vulnrichment

Updated: 2026-05-06T21:19:40.310Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:51.673

Modified: 2026-05-07T15:17:36.547

Link: CVE-2026-8007

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:15:06Z

Weaknesses