Description
Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from an incorrect implementation of cross‑origin resource sharing in Google Chrome on Linux and ChromeOS. The flaw allows a malicious web page to bypass CORS checks and read data from a different origin, resulting in unauthorized disclosure of content that should be protected by same‑origin policies. The primary impact is loss of confidentiality, with the possibility of further social engineering or exploitation once sensitive data is exposed. The vulnerability is classified as CWE‑940 and the newly identified CWE‑942.

Affected Systems

All users running Google Chrome on Linux or ChromeOS with a browser version older than 148.0.7778.168 are affected. Updating to version 148.0.7778.168 or later removes the vulnerability.

Risk and Exploitability

Chromium assigns a Medium severity rating, reflected in a CVSS score of 4.3. The EPSS score is reported as <1%, indicating a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers must entice a user to visit a crafted malicious web page, making the vector remote yet dependent on user interaction. Successful exploitation would expose any data that is normally guarded by CORS checks on the victim’s machine. The issue aligns with CWE‑940 and CWE‑942.

Generated by OpenCVE AI on May 15, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update (≥148.0.7778.168).
  • If an update cannot be applied immediately, limit browser use to known, trusted sites and avoid opening untrusted web content.
  • Configure the browser to enforce site isolation and disable legacy features that could expose cross‑origin data until the patch is applied.

Generated by OpenCVE AI on May 15, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-942
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome CORS Misimplementation Allows Cross‑Origin Data Leakage on Linux and ChromeOS chromium-browser: chromium-browser: Inappropriate implementation in CORS
Weaknesses CWE-940
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Chrome CORS Misimplementation Allows Cross‑Origin Data Leakage on Linux and ChromeOS
Weaknesses CWE-200

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T13:44:41.044Z

Reserved: 2026-05-14T05:40:25.807Z

Link: CVE-2026-8576

cve-icon Vulnrichment

Updated: 2026-05-15T13:44:37.946Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T20:17:19.967

Modified: 2026-05-15T15:16:55.880

Link: CVE-2026-8576

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:40Z

Links: CVE-2026-8576 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:15:04Z

Weaknesses