Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low)
Published: 2026-05-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from inadequate policy enforcement in Google Chrome’s DevTools, allowing data received over the network to be processed in a way that can lift sandbox restrictions. A remote attacker delivering crafted network traffic to a vulnerable Chrome client could use this weakness to escape the browser sandbox, potentially leading to arbitrary code execution or further system compromise. The description labels the issue as a low‑severity Chromium vulnerability, yet the consequences of a successful sandbox escape are significant, affecting confidentiality, integrity, and availability of the host system.

Affected Systems

Google Chrome installations running any version prior to 148.0.7778.96 are vulnerable. The issue is specific to Windows, macOS, and Linux desktop clients that expose DevTools to network input. All affected users who have not updated Chrome to at least 148.0.7778.96 remain at risk.

Risk and Exploitability

The Common Vulnerability Scoring System (CVSS) score is 8.1, indicating a high severity, and the Exploit Prediction Scoring System (EPSS) value is unavailable in the current data. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. With a high severity rating and no known widespread exploitation, the likelihood of exploitation appears modest. Nonetheless, the criticality of a sandbox escape warrants attention, as the attack surface is remote and does not require privileged local access.

Generated by OpenCVE AI on May 7, 2026 at 03:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.96 or later to receive the policy enforcement fix
  • Disable or restrict DevTools access for untrusted or remote webpages using Chrome policy or group policy settings
  • Monitor network traffic and employ endpoint protection solutions to detect anomalous data that may target the DevTools sandbox

Generated by OpenCVE AI on May 7, 2026 at 03:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-305

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome DevTools Enabling Potential Sandbox Escape
Weaknesses CWE-264
CWE-284

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome DevTools Enabling Potential Sandbox Escape
First Time appeared Google
Google chrome
Weaknesses CWE-264
CWE-284
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-07T03:56:53.772Z

Reserved: 2026-05-05T22:59:36.300Z

Link: CVE-2026-8018

cve-icon Vulnrichment

Updated: 2026-05-06T20:55:29.255Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:52.770

Modified: 2026-05-06T22:16:46.510

Link: CVE-2026-8018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T03:15:20Z

Weaknesses