CVE-2026-0905 Overview
CVE-2026-0905 is an information disclosure vulnerability affecting Google Chrome's Network component. The flaw stems from insufficient policy enforcement that allows an attacker who has obtained a network log file to potentially extract sensitive information. This vulnerability affects Google Chrome versions prior to 144.0.7559.59 and has been classified as an Information Exposure issue (CWE-200).
Critical Impact
Attackers with access to network log files can potentially extract sensitive data, including authentication tokens, session identifiers, and other confidential information that may be inadvertently logged due to insufficient policy enforcement.
Affected Products
- Google Chrome versions prior to 144.0.7559.59
- Chromium-based browsers using affected Network component versions
- Desktop platforms running vulnerable Chrome installations
Discovery Timeline
- January 20, 2026 - CVE-2026-0905 published to NVD
- January 20, 2026 - Last updated in NVD database
Technical Details for CVE-2026-0905
Vulnerability Analysis
This vulnerability is rooted in insufficient policy enforcement within Google Chrome's Network component. The flaw allows sensitive information to be exposed through network log files, which are diagnostic files used to troubleshoot network-related issues within the browser.
Under normal circumstances, network logging should sanitize or exclude sensitive data such as authentication credentials, cookies, and session tokens. However, due to improper policy enforcement, this sensitive information may be written to log files in a recoverable format. An attacker who gains access to these log files—whether through local access, malware, or social engineering—could potentially harvest this data for further attacks.
The vulnerability is particularly concerning in enterprise environments where network log files may be collected centrally for diagnostics or shared during support interactions without proper sanitization.
Root Cause
The root cause of CVE-2026-0905 lies in the inadequate enforcement of data sanitization policies within Chrome's Network logging functionality. The logging mechanism fails to properly filter or redact sensitive network traffic data before writing it to log files. This design oversight allows potentially sensitive information—such as request headers containing authentication tokens, cookies, and other session data—to persist in log files that could be accessed by unauthorized parties.
Attack Vector
This vulnerability requires an attacker to obtain access to Chrome's network log files. The attack vector involves:
Log File Acquisition: The attacker must first obtain the network log file, which could occur through local system access, phishing users into sharing diagnostic files, or exploiting another vulnerability to exfiltrate files.
Data Extraction: Once the log file is obtained, the attacker can parse the contents to extract sensitive information such as authentication tokens, session cookies, API keys, or other confidential data that was improperly logged.
Credential Abuse: The extracted credentials or session data can then be used for session hijacking, unauthorized access to user accounts, or further lateral movement within target systems.
While the attack requires the attacker to first obtain the log file (typically through secondary means), the information disclosure impact can be severe depending on what sensitive data was captured in the logs during the user's browsing session.
Detection Methods for CVE-2026-0905
Indicators of Compromise
- Unexpected access to Chrome network log files (typically located in user profile directories)
- Anomalous file read operations targeting Chrome diagnostic or log directories
- Evidence of log file exfiltration through network monitoring or endpoint detection
Detection Strategies
- Monitor for unauthorized access to Chrome's network logging directories and associated net-export log files
- Implement file integrity monitoring on Chrome profile directories to detect unexpected reads or copies of log files
- Review endpoint detection logs for suspicious processes accessing Chrome diagnostic data
- Configure alerting on outbound transfers of .json or .log files from Chrome profile paths
Monitoring Recommendations
- Enable enhanced logging on endpoints to track file access events related to browser data directories
- Deploy behavioral analytics to identify unusual patterns of diagnostic file collection or transmission
- Implement network monitoring to detect potential exfiltration of log files to external destinations
- Conduct periodic audits of shared diagnostic files to ensure sensitive data is not inadvertently exposed
How to Mitigate CVE-2026-0905
Immediate Actions Required
- Update Google Chrome to version 144.0.7559.59 or later immediately
- Review any previously shared or stored network log files and delete those that may contain sensitive information
- Educate users about the risks of sharing browser diagnostic files with untrusted parties
- Implement access controls to restrict unauthorized access to browser profile directories
Patch Information
Google has addressed this vulnerability in Chrome version 144.0.7559.59. The fix implements proper policy enforcement to ensure sensitive data is appropriately sanitized before being written to network log files.
For detailed patch information, refer to the Chrome Blog Update and the Chromium Issue Tracker #465466773.
Organizations using enterprise Chrome deployments should push updates through their existing browser management solutions to ensure all endpoints are patched promptly.
Workarounds
- Avoid generating or sharing network log files until the browser is updated
- If network logging is necessary, ensure log files are deleted immediately after troubleshooting
- Restrict user permissions to prevent unauthorized access to Chrome profile directories
- Use enterprise policies to disable network logging functionality if not required for operations
# Verify Chrome version on Linux/macOS
google-chrome --version
# Expected: Google Chrome 144.0.7559.59 or higher
# Enterprise Chrome policy to restrict net-export (Windows Registry example)
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
# Create DWORD: NetExportEnabled = 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
