CVE-2026-12456 Overview
CVE-2026-12456 is a same-origin policy bypass vulnerability in the Extensions component of Google Chrome prior to version 149.0.7827.155. An attacker who convinces a user to install a malicious extension can leverage a crafted Chrome Extension to bypass the same-origin policy (SOP). The flaw is tracked under CWE-20: Improper Input Validation and was assigned a Chromium security severity rating of High by Google, while NVD scored it at 4.2 (Medium). The issue affects Chrome on Windows, macOS, and Linux desktop platforms.
Critical Impact
Successful exploitation lets a malicious extension read or manipulate cross-origin web content, exposing user session data, authenticated application state, and confidential information rendered in the browser.
Affected Products
- Google Chrome prior to 149.0.7827.155 on Microsoft Windows
- Google Chrome prior to 149.0.7827.155 on Apple macOS
- Google Chrome prior to 149.0.7827.155 on Linux
Discovery Timeline
- 2026-06-17 - CVE-2026-12456 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12456
Vulnerability Analysis
The vulnerability resides in how Chrome's Extensions subsystem validates and enforces origin boundaries for extension-driven requests and DOM interactions. A crafted extension can construct inputs that the Extensions implementation handles incorrectly, allowing it to act on resources outside its permitted origin scope. The result is a same-origin policy bypass, the foundational browser control that isolates content between web origins.
The EPSS score is 0.134% with a percentile of 3.19, reflecting limited current exploitation telemetry. User interaction is required because the attacker must convince the victim to install the malicious extension before the bypass becomes reachable. Once installed, the extension can operate within the browser process context across user sessions.
Root Cause
The defect is categorized as [CWE-20: Improper Input Validation]. The Extensions component does not adequately validate extension-supplied data before applying it to security-sensitive cross-origin operations. This permits a crafted extension manifest or runtime payload to bypass the checks that normally constrain extension activity to its declared origins and host permissions.
Attack Vector
The attack is delivered over the network and requires user interaction. An adversary publishes or sideloads a malicious Chrome Extension and convinces the target to install it through social engineering, a typosquatted Web Store listing, or a compromised developer account. After installation, the extension issues crafted requests or DOM operations that exercise the flawed validation path and read or modify content belonging to other origins. Refer to the Chromium Issue Tracker Entry and the Google Chrome Update Announcement for vendor technical context.
// No verified proof-of-concept is publicly available for CVE-2026-12456.
// Refer to the Chromium issue tracker for vendor technical details.
Detection Methods for CVE-2026-12456
Indicators of Compromise
- Unexpected Chrome extensions appearing under chrome://extensions that were not deployed by the organization or installed by the user.
- Extension manifests requesting broad host_permissions such as <all_urls> combined with webRequest or scripting APIs.
- Outbound network requests originating from the Chrome process to attacker-controlled domains shortly after extension installation.
- Chrome browser versions reported in inventory data below 149.0.7827.155.
Detection Strategies
- Inventory installed extensions across managed endpoints and compare extension IDs against an approved allowlist.
- Hunt for newly installed extensions correlated with user-driven downloads from non-Web Store sources or developer mode installs.
- Inspect HTTP telemetry for cross-origin requests sourced from extension service workers that do not match declared host permissions.
Monitoring Recommendations
- Monitor Chrome version telemetry and flag any host running a build older than 149.0.7827.155.
- Alert on changes to the Preferences and Secure Preferences files within the Chrome user profile, which record extension installation state.
- Track creation of new entries under the ExtensionInstallForcelist and ExtensionInstallAllowlist Group Policy keys on Windows endpoints.
How to Mitigate CVE-2026-12456
Immediate Actions Required
- Update Google Chrome to version 149.0.7827.155 or later on all Windows, macOS, and Linux endpoints.
- Audit installed extensions across the fleet and remove any that are unknown, unsigned, or no longer required.
- Restrict extension installation to a vetted allowlist using enterprise policy.
Patch Information
Google addressed CVE-2026-12456 in Chrome Stable channel build 149.0.7827.155. Deployment details are documented in the Google Chrome Update Announcement. Managed environments should push the update through Google Update, Chrome Browser Cloud Management, or platform package managers and verify the version on each endpoint after rollout.
Workarounds
- Enforce ExtensionInstallAllowlist and ExtensionInstallBlocklist policies to prevent installation of unapproved extensions until patching is complete.
- Disable developer mode and sideloading for non-administrative users to block manual installation of crafted extension packages.
- Educate users to install extensions only from the official Chrome Web Store and to scrutinize requested permissions.
# Windows Group Policy registry example: restrict Chrome extensions to an allowlist
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist" /v 1 /t REG_SZ /d "*" /f
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist" /v 1 /t REG_SZ /d "<approved-extension-id>" /f
# Verify Chrome version on Linux endpoints
google-chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
