Description
Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Preload feature of Google Chrome allowed a remote attacker to leak cross‑origin data via a crafted HTML page. The vulnerability can expose sensitive content from other origins, leading to a confidentiality breach. The Chromium security team rated the issue as low severity, but the potential data exposure remains significant for users visiting maliciously crafted sites.

Affected Systems

Google Chrome is affected, specifically any installation prior to version 148.0.7778.96. Users running these older Chrome releases are susceptible to the data leakage flaw.

Risk and Exploitability

The EPSS score is <1% and it is not listed in the CISA KEV catalog, indicating a very low probability of exploitation and no known widespread exploitation. The likely attack vector is remote, stemming from a maliciously crafted web page that the victim loads. An attacker can exploit the bug by tricking a user’s browser into loading a specially designed page that triggers the Preload mechanism, thereby leaking data from a different origin. While the severity rating is low, the confidentiality impact is real and remediation is advised.

Generated by OpenCVE AI on May 9, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later, ensuring that the Preload bug is fixed
  • Enable automatic updates in Chrome to receive future security patches promptly
  • If you operate an environment that prohibits exposure of cross‑origin data, consider disabling the Preload feature via policy or configuration tools until a patch is available

Generated by OpenCVE AI on May 9, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Chrome Preload Feature Causing Cross‑Origin Data Leakage chromium-browser: Inappropriate implementation in Preload
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Title Chrome Preload Feature Causing Cross‑Origin Data Leakage

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leakage via Preload Feature in Google Chrome
Weaknesses CWE-200

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leakage via Preload Feature in Google Chrome
Weaknesses CWE-200

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:24.955Z

Reserved: 2026-05-05T22:59:35.273Z

Link: CVE-2026-8014

cve-icon Vulnrichment

Updated: 2026-05-06T20:58:16.590Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:52.353

Modified: 2026-05-07T15:16:42.573

Link: CVE-2026-8014

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8014 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:15:06Z

Weaknesses