CVE-2026-8520 - Vulnerability Details

- chromium-browser: chromium-browser: Race in Payments

Description

Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Published: 2026-05-14

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Payment subsystem of Google Chrome versions earlier than 148.0.7778.168 enables a remote attacker to trigger a sandbox escape through a specially crafted HTML page. This flaw originates from a concurrency issue (CWE-362) and a priority‑inversion problem (CWE-368) that could allow the attacker to break out of the renderer process sandbox and execute code with higher privileges on the client system.

Affected Systems

The vulnerability affects Google Chrome browsers running any version older than 148.0.7778.168 on desktop platforms. The affected versions are those listed in the official Chrome release notes prior to the 148.0.7778.168 update.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is currently not listed in the CISA KEV catalog. The description indicates that realistic exploitation requires delivery of a crafted HTML page, implying a web‑based attack vector. While the CVSS score is 8.3, the Chromium security team has labeled the issue as Critical, suggesting that a successful exploitation would result in complete code execution on the host. The lack of an available EPSS score means the current information cannot quantify the likelihood of exploitation, but the combination of a critical severity rating and the remote nature of the attack vector indicates a high risk to affected users. This assessment is based solely on the supplied information and acknowledges that some impact details remain unspecified.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.168`	affected	< 148.0.7778.168

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.168,148.0.7778.168)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.168 or later to obtain the vendor‑supplied patch
Disable or restrict the Payment API via Chrome policy if the feature is not required for the user’s workflow
Educate users to avoid opening unknown HTML files or visiting untrusted websites until the browser update is applied

Generated by OpenCVE AI on May 15, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6273-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html
https://issues.chromium.org/issues/503619813
https://nvd.nist.gov/vuln/detail/CVE-2026-8520
https://www.cve.org/CVERecord?id=CVE-2026-8520

History

Fri, 15 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: chromium-browser: Race in Payments
Weaknesses		CWE-368
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8520 https://www.cve.org/CVERecord?id=CVE-2026-8520
Metrics	threat_severity `None`	threat_severity `Critical`

Fri, 15 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Chromium Payment Race Condition Allows Sandbox Escape from Crafted HTML

Thu, 14 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Chromium Payment Race Condition Allows Sandbox Escape from Crafted HTML

Thu, 14 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses		CWE-362
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/503619813

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-14T19:52:14.937Z

Updated: 2026-05-15T03:57:19.187Z

Reserved: 2026-05-14T05:40:12.804Z

Link: CVE-2026-8520

Vulnrichment

Updated: 2026-05-14T21:18:42.871Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:12.770

Modified: 2026-05-14T22:16:46.260

Link: CVE-2026-8520

Redhat

Severity : Critical

Publid Date: 2026-05-14T19:52:14Z

Links: CVE-2026-8520 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object