Description
Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-20
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is insufficient policy enforcement for the ServiceWorker API in Chrome versions earlier than 148.0.7778.179. It allows a remote attacker to craft an HTML page that tricks the browser into executing a ServiceWorker script which then reads or copies data from another origin, violating same‑origin security guarantees. This vulnerability maps to improper default permission enforcement (CWE‑693).

Affected Systems

All users of Google Chrome before version 148.0.7778.179 are affected. The fix was released with Chrome 148.0.7778.179 and subsequent stable releases on all supported operating systems.

Risk and Exploitability

The reported CVSS score of 4.3 is the base score for this vulnerability. No EPSS score is currently available, indicating low publicly known exploitation probability but not zero. The vulnerability is not listed in CISA’s KEV catalog. Attackers only need to host or embed a malicious web page that a victim visits; no further privileges are required.

Generated by OpenCVE AI on May 20, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.179 or newer.
  • Disable ServiceWorker use for sites that do not need it using enterprise policy or site‑settings.
  • Maintain vigilance by regularly checking Chrome release notes and promptly applying subsequent security updates.

Generated by OpenCVE AI on May 20, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Insufficient ServiceWorker Policy Enforcement Enables Remote Cross‑Origin Data Leakage

Wed, 20 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Insufficient ServiceWorker Policy Enforcement Enables Remote Cross‑Origin Data Leakage
Weaknesses CWE-285

Wed, 20 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-20T19:38:36.913Z

Reserved: 2026-05-20T17:39:22.386Z

Link: CVE-2026-9116

cve-icon Vulnrichment

Updated: 2026-05-20T19:38:33.851Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:42.843

Modified: 2026-05-20T20:16:42.843

Link: CVE-2026-9116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T23:30:41Z

Weaknesses