Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15108

CVE-2026-15108: Chrome Extensions API Memory Vulnerability

CVE-2026-15108 is an integer overflow in Google Chrome's Extensions API that enables out-of-bounds memory reads through malicious extensions. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-15108 Overview

CVE-2026-15108 is an integer overflow vulnerability [CWE-190] in the Extensions API of Google Chrome versions prior to 150.0.7871.115. The flaw allows an attacker who convinces a user to install a malicious extension to trigger an out-of-bounds memory read through a crafted Chrome Extension. Chromium classifies the internal security severity as High, while the assigned CVSS 3.1 base score is 4.3. Successful exploitation requires user interaction, specifically the installation of an attacker-controlled extension.

Critical Impact

A crafted Chrome Extension can trigger an integer overflow in the Extensions API, resulting in an out-of-bounds memory read that leaks sensitive process memory contents.

Affected Products

  • Google Chrome for Desktop prior to 150.0.7871.115
  • Chromium-based browsers incorporating the vulnerable Extensions API code
  • Environments permitting user-installed Chrome extensions

Discovery Timeline

  • 2026-07-08 - CVE-2026-15108 published to the National Vulnerability Database
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15108

Vulnerability Analysis

The vulnerability resides in the Chrome Extensions API, the interface layer that exposes browser functionality to installed extensions. An integer overflow occurs when arithmetic operations on extension-supplied values exceed the maximum representable value of the underlying integer type. The overflowed value is then used to compute a memory offset or buffer length, causing the runtime to read beyond the intended memory boundary.

Because the read is out-of-bounds rather than an out-of-bounds write, exploitation yields information disclosure rather than memory corruption. The scope is unchanged, meaning the impact is confined to the vulnerable browser process. Leaked memory can include extension data, sensitive browsing artifacts, or pointer values useful for bypassing address space layout randomization (ASLR) in subsequent attacks.

Root Cause

The root cause is missing or insufficient validation of numeric inputs supplied through the Extensions API before those values participate in size or offset calculations. When the calculation wraps past INT_MAX or SIZE_MAX, the result becomes a small or unexpected value that passes downstream bounds checks. The subsequent memory read operates on attacker-influenced boundaries.

Attack Vector

Exploitation requires the victim to install a malicious extension. Once installed, the extension issues crafted calls to the vulnerable Extensions API endpoint, supplying parameters designed to trigger the integer overflow. No additional privileges are required beyond those granted to a standard extension at install time. The attack is delivered over the network via extension distribution channels but ultimately executes locally in the browser process.

Exploitation code is not publicly available. Technical detail is tracked in Chromium Issue #515443146.

Detection Methods for CVE-2026-15108

Indicators of Compromise

  • Installation of Chrome extensions from sources outside the Chrome Web Store or from unverified publishers
  • Chrome browser processes running versions earlier than 150.0.7871.115 in enterprise inventory scans
  • Extensions requesting broad host permissions or chrome.* API surfaces inconsistent with their stated function

Detection Strategies

  • Inventory installed extensions across managed endpoints and correlate extension IDs against known-malicious lists
  • Monitor Chrome update telemetry to identify hosts still running vulnerable builds prior to 150.0.7871.115
  • Review Chrome enterprise reporting for extension installation events, focusing on sideloaded or developer-mode extensions

Monitoring Recommendations

  • Enable Chrome Enterprise Extension Telemetry to capture extension install, update, and permission grant events
  • Alert on browser process anomalies such as unexpected crashes or memory access violations that could indicate exploitation attempts
  • Track outbound network activity from Chrome to unfamiliar domains that may correspond to extension command-and-control channels

How to Mitigate CVE-2026-15108

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.115 or later on all managed endpoints
  • Audit all installed Chrome extensions and remove any that are unsigned, sideloaded, or lacking a legitimate business purpose
  • Restrict extension installation to an allowlist enforced through Chrome Enterprise policy

Patch Information

Google addressed the issue in the Chrome Stable channel release documented in the Chrome Releases blog. The fixed version is 150.0.7871.115. Chrome's automatic update mechanism will apply the patch on next browser restart for endpoints with updates enabled.

Workarounds

  • Enforce the ExtensionInstallAllowlist and ExtensionInstallBlocklist policies to prevent installation of untrusted extensions
  • Disable developer mode for extensions on managed devices via the DeveloperToolsAvailability policy
  • Force browser restarts after updates using RelaunchNotification and RelaunchNotificationPeriod policies to ensure patches take effect
bash
# Configuration example - Chrome Enterprise policy (Windows registry)
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist" /v 1 /t REG_SZ /d "*" /f
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist" /v 1 /t REG_SZ /d "<approved-extension-id>" /f
reg add "HKLM\Software\Policies\Google\Chrome" /v DeveloperToolsAvailability /t REG_DWORD /d 2 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.